TurboPGP Open PGP Command-line Tool Software Manual

1 TurboPGP overview

TurboPGP is a command line tool performing cryptography operations on file or text messages and related key management tasks. It is based on the OpenPGP standard (RFC 4880). TurboPGP runs on Windows, Linux, and macOS. It can perform the following actions:

2 Installation

2.1 Installation on Linux

TurboPGP uses a specific directory for application data, like keyring files. On any UNIX system, the application data resides in the .tbpgp folder, which, in turn, resides in the path represented by the $HOME environment variable. Installation on Linux deals with two types:

  1. Installation on RPM-Based Linux Distributions (CentOS, Red Hat, Fedora, etc.)

  1. On the command line, enter:

sudo rpm -i tbpgp-1.22.1032-1.x86_64.rpm

  1. Installation on non-RPM Based Linux Distributions (Ubuntu, Debian, etc.)

  1. Install the RPM file directly without conversion to a Debian package.

sudo dpkg -i tbpgp-1.22.1032-1.x86_64.deb

2.2 Installation on Microsoft Windows

Double-click the downloaded installer file to begin the installation to install on Windows. You need to have administrator privileges to install.

3 Command line interface

3.1 Overview

The TurboPGP command line tool operates with parameters supplied in the standard UNIX style. Long commands are specified with two hyphens “--” and the command name, like “tbpgp --encrypt”. Short form commands are supplied with one hyphen and a single letter equivalent to the command name, like “tbpgp -e”.

Every correct and successful command returns a suitable response, while an incorrect command returns an error message.

3.2 Command and options

Each command line statement must have one valid command combined with one or more options.

  1. A command takes one or two mandatory arguments or none. For example, the –-encrypt command must be followed by a path to the physical file being encrypted. The only command that requires two arguments is the –-verify command to verify a detached signature, i.e., the detached signature (.sig file), then the original file.

  2. A non-command option takes zero or one argument. For example, the –-output (-o) option provides an output file path explicitly specified by the user.

A single space is required to separate an option and its arguments. Additional spaces between flags and arguments are overlooked. An argument must be embedded between quotes if it has spaces (e.g., a file path). For example:

Options can be specified in any order and have short or long forms. For example, both statements below are valid and create a detached signature of the given file.

tbpgp --sign ... --signer

tbpgp --signer --sign ...

3.3 Specify a key

A key in a public or secret keyring must be specified for encryption, signing, and specific key management. A key can be identified by a Key ID, the low-order 64 bits of the key’s fingerprint. TurboPGP also takes a short form of key ID, which is the low-order 32 bits (4-octet) of the conventional Key ID.

For example, the following command uses the 4-octet form of key ID to reference the key to be exported:

4 Key management

TurboPGP maintains its key database in the form of keyrings. The public and secret keyrings reside in the .tbpgp folder under the user’s home directory.

This section describes the steps you need to take to get up and running with TurboPGP.

4.1 Generate a key pair

Although OpenPGP ultimately uses a symmetric cipher to encrypt the given message or data, the cipher’s encryption key will be protected by the public key cryptography, which operates with an OpenPGP key pair. Digital signing and signature verification rely on the signer’s public and secret keys. To use TurboPGP, make sure there is a least a public or secret key in its keyrings. TurboPGP provides a key generator to create an OpenPGP key pair.

A key pair contains a public key and a secret key. The public key algorithms below are currently supported.

To generate a new key pair, use the --gen-key command. By default, a 2048-bit RSA key will be generated.

  1. Command syntax:

tbpgp --gen-keys "{username} <{user_email}>"


"{username} <{user_email}>" is the User ID enclosed in double quotation marks. The User ID argument is in RFC 2822 name-addr string format, specifying the user’s name and email address.

  1. Optional argument --key-type or –t

This option specifies the public-key algorithm of the key. It can be one of the following strings:

  1. Optional argument --enc-bits or –b

This option specifies the key size of the encryption key. OpenPGP encryption services are provided by its subkey(s). The TurboPGP key generator creates one subkey for encryption purposes. Thus, the number of encryption bits here is the key size of the encryption subkey.

  1. Optional argument --signing-bits or -B

This option specifies the key size of the signing key. By convention, OpenPGP signature services are provided by its top-level key (i.e., the master key). Thus, the number of bits here is the key size of the top-level key.


  1. Optional argument --cipher

This option specifies the preferred symmetric cipher to use when encrypting literal data. Valid options are:

blowfish, aes-128, aes-192, aes-256, twofish

  1. Optional argument --hash

This option specifies the preferred hash algorithm to use.

4.2 List public keys in the keyring

To list the keys in a public keyring, use the --list-keys or -l command.

  1. Command syntax:

tbpgp --list-keys

  1. Example:

pub RSA 2048 8724C498 2021-11-17

uid alice (alice) <alice@example.com>

sub RSA 2048 7FEF36A5 2021-11-17

pub RSA 2048 F344C947 2021-11-17

uid charlie (main) <charlie@example.com>

sub RSA 2048 4D34D33F 2021-11-17

Two keys are listed in the example above. In the first key section, the first line shows the information of the master key, which is a 2048-bit RSA public key, 8724C498 is the short form of the Key ID, 2021-11-17 is the key’s creation date, and Sub indicates a subkey’s information.

4.3 List secret keys in the keyring

To list the keys on a secret keyring, use the --list-secret-keys or –L command.

  1. Command syntax:

tbpgp --list-secret-keys

  1. Example:

load_keychain: 2 keys loaded from secret key chain

load_keychain: 2 keys loaded from public key chain

secret keyring: /root/.tbpgp/secring.tpg

sec RSA 2048 8724C498 2022-11-17

uid alice (main) <alice@example.com>

sub RSA 2048 7FEF36A5 2022-11-17

sec RSA 2048 F344C947 2022-11-17

uid charlie (charlie) <charlie@example.com>

sub RSA 2048 4D34D33F 2022-11-17

4.4 Export a public key

Users can export their public key to send to other users who want to exchange data securely.

  1. Command syntax

tbpgp --export <keyID> -o <outputFile>


<keyID> KeyID of the public key to be exported.

<outputFile> is the name of the output public key file.

  1. Optional argument --armor

Create the key file in ASCII armored text format.

  1. Example:

4.5 Import a public or secret key

Another user’s public key may be added to your public keyring with the --import command. A key file can be in binary or ASCII format.

  1. Command syntax:

tbpgp --import <filename>


<fileName> the path of the public key file to be imported.

If it is successful, you will see output like the text below.

pgp_key_load: no ascii file, retry as binary...

key id ************ added to public keychain

Similarly, by using the same command, a secret key can be added to the secret keyring.

4.6 Delete a public or secret Key

Public and secret keys can be deleted from its keyring with the --delete-key command.

  1. Command syntax:

tbpgp --delete-key <keyID>

tbpgp --delete-key <wildcard>


<keyID> the Key ID of the public key and secret key to be removed from the keyring.

  1. Delete multiple public or secret keys

If the supplied argument is a wildcard, it will be matched against every key’s associated user email. If matched, both the public and secret keys will be deleted. Accepted wildcards are the asterisk (*), which represents one or more characters, and the question mark (?) which means a single character.

  1. Example:

(Remove a key with a Key ID matching a short form Key ID “8724C498”.)

(Remove all keys with a User ID with an email address matching “@test.com”.)

4.7 Change the passphrase of a secret key

The passphrase of a secret key can be changed with the --change-pass command. To complete the operation, you will be prompted to enter the old and new passphrases.

  1. Command syntax:

tbpgp --change-pass <keyID>


<keyID> the Key ID of the secret key to be encrypted with a different passphrase.

  1. Example:

5 Cryptographic operations

The TurboPGP command line tool supports the following cryptographic operations:

  1. Encryption: Encryption converts sensitive data into a scrambled, incomprehensible form that only an authorized party can decode and restore. In OpenPGP, encryption is achieved with a symmetric cipher on a randomly generated encryption key, or session key, protected by a public key of a given key pair. Conversely, only the person with that corresponding secret key can decrypt the encrypted encryption key to decrypt the data further.

  2. Decryption: Decryption reverses the encryption process by restoring the encryption key used to encrypt the data. OpenPGP typically requires a secret key of a given key pair to decrypt an encrypted archive.

  3. Signature generation: A digital signature is used to endorse and timestamp a file. The user’s secret key and a signing algorithm are utilized to create the signature. The signature created is irreversible, and it is hard to recuperate the file from which the hash was calculated. Typically, digital signatures are used for user authentication and message/file integrity check.

  4. Signature verification: Signature verification is the procedure to validate the authenticity and integrity of the file or document that was signed. The same hash function and the user’s public key are used to verify the signature.

5.1 Encryption

For encryption, the command --encrypt or -e is used. The Key ID is specified with --recipient or –r, and the output file is specified with the --output or -o option.

  1. Basic syntax:

tbpgp --encrypt <inputFile> --recipient <keyID> -o <outputFile>


<inputFile> is the name of the file to be encrypted.

<keyID> Key ID of the secret key used to encrypt the file.

<outputFile> is the name of the encrypted output file.

  1. Example:

  1. Optional argument --compress-algo

The compression algorithm can be specified with --compress-algo.

TurboPGP supports all the compression algorithms specified in OpenPGP: ZIP, zlib, and BZIP2. By default, zlib is used. To set an algorithm, use --compress-algo with argument zip, zlib, or bz2 in the command line.

  1. Optional argument --compress-level

The valid range of compression level is 0-9, inclusive. Level 0 means no compression.

5.2 Decryption

To decrypt a document, use the command --decrypt or -d. The output file can be specified with the -o option. This command can also be used to extract the original file from a signed file while at the same time verifying its signature.

  1. Basic syntax:

tbpgp --decrypt <inputFile> -o <outputFile>


<inputFile> is the name of the file to be decrypted.

<outputFile> is the name of output decrypted file.

  1. Example:

5.3 Signature generation

Use the command --sign or –s to sign a file. The Key ID of the signatory is specified with --signer and output file optionally specified by --output or -o option. In the absence of an --output option, the signed file will be created with the filename <inputFile>.pgp, and the detached signature will be made with the filename <inputFile>.sig.

  1. Basic syntax:

tbpgp --sign <inputFile> --signer <keyID> -o <signedFile>

tbpgp --sign <inputFile> --signer <keyID> -o <detachedSignature> --detached


<inputFile> the path of the file to be signed.

<keyID> Key ID of the secret key used to sign the file digitally.

<signedFile> the path of the signed file, which combines the clear text of the original file and its signature.

<detached> signifies to create a detached signature.

  1. Example:

5.4 Signature verification

Use the command –verify or -v to digitally verify a document. If the original file data in clear text is attached to the signature, only the signed file needs to be provided on the command line. If it is a detached signature, both the original and the attached file need to be provided.

  1. Basic syntax:

tbpgp --verify <detachedSignature> <originalFile>

tbpgp --verify <signedFile>


<detachedSignature> detached signature is created as a separate file from the original one.

<signedFile> clear text file combined with the signature.

<originalFile> name of the file whose signature must be verified.

  1. Example:


6 Index


algorithm · 12, 13

armored · 10

ASCII · 10

authenticity · 12


binary · 10

bits · 8

BZIP2 · 13


cipher’s · 7

Command · 5, 7, 8, 9, 10, 11

compression · 13

Compression · 13

compression level · 13

cryptography · 3, 7


database · 7

Decryption · 13

detached · 5, 13, 14

DSA · 7


ECDH · 7

El Gamal · 7

encrypt · 5, 7, 12, 13

encrypted · 5, 7, 12

Encryption · 12

Export · 7, 9

extract · 13


home · 7


Import · 3, 7, 10

integrity · 12


Key ID · 9, 12, 14

keypair · 7

Keyring · 8, 9


Linux · 3, 4


macOS · 3

Management · 7


OpenPGP · 3, 7, 12, 13

original · 5, 13, 14


Public Key · 9


RSA · 7, 9


Secret Key · 10, 11

sign · 3, 5, 13, 14

signatory · 13

Signature · 12

signer · 7

subkey · 9


verification · 7, 12


wildcard · 10

Windows · 3, 4


zip · 13

zlib · 13