GPG keypair commands
This section covers commands that you use in SMCTL to manage GPG keypairs. These commands are: list GPG keypairs, generate GPG keypair, and download GPG keyring. Use flags to specify command parameters.
Commands
To view GPG commands, run:
smctl gpg --help
or
smctl gpg -h
Subcommands
GPG commands begin with:
smctl gpg <subcommand>
Manage GPG keypairs
GPG keypair commands begin with:
smctl gpg keypair <subcommand>
or
smctl gpg kp <subcommand>
Subcommands
Shortcut | Subcommand | Description |
|---|---|---|
del | Delete GPG keypairs. | |
desc | describe | Describe a GPG keypair. |
gen | Generate GPG master or subkey. | |
ls | List GPG keypairs. | |
offline | Set keypair status to offline. | |
online | Set keypair status to online. | |
edit | Update GPG keypair. | |
edit-access | Update access to GPG keypair. | |
edit-uids | Update user IDs of GPG keypair. | |
-h | --h | Help for generating GPG keypair. |
Delete GPG keypair
Delete GPG keypair commands begin with:
smctl gpg keypair delete <gpg keypair alias or ID>
or
smctl gpg kp del <gpg keypair alias or ID>
Example 1:
Description: Delete keypair referred to by the GPG keypair alias.
Command:
smctl gpg keypair delete <keypair alias>
Command sample:
smctl gpg keypair delete my-gpg-keypair
Example 2:
Description: Delete keypair referred to by the GPG keypair ID.
Command:
smctl gpg keypair delete <keypair ID>
Command sample:
smctl gpg keypair delete aae21e7d-31e9-4cc0-89fa-63b323a64a56
Describe GPG keypair
Describe GPG keypair commands begin with:
smctl gpg keypair describe <gpg keypair alias or ID>
or
smctl gpg kp desc <gpg keypair alias or ID>
Output sample:
GPG keypair ID: 3cf3f4d1-005c-464f-be84-909d87d0ff
GPG keypair alias: gpg-subkey
GPG type: Subkey
Fingerprint: 02B6E92EF6C54EB6D9B8B5EFC4EF32B364FA2485
Key algorithm: ECDSA - P256
Keypair status: ONLINE
Keypair category: PRODUCTION
Key storage: HSM
GPG Public key:
-----BEGIN PGP MESSAGE-----
Version: BCPG v1.70
uFIEYpewPRMIKoZIzj0DAQcCAwQ4ZZI661fEMwDSTY001erSlGMbjqvIBGe+t3Tt
CjGc38spiwVWX8WTjbzpgixrXoVB3fwcy2PQ81VZubC0j341iQH/BBgBCABpBQJi
l7A9ApsCXyAEGRMIAAYFAmKXsD0ACgkQxO8ys2T6FFmAxAEA6KPVsHpyqz1bHH3K
BVJwNeTr3rTdKd3cmyZdw9bAFBwBALuoODYOlrLSXtYEVDGn+FQCx8YldK2yUw/R
2XBwbxYSAAoJEAG1hDNMsWDi9SsL/2cbih6a2hm63hKT4LiITv19QF/MiFyNGqkA
00rBHTeMGREIPsb9ySXezmqFhcRLVXiSfz1uhXavT1UZqN999MFqEk1AVNNZBBth
RMpsLxVRqZMvtw0nSEmM/0aTgvrQ9UcteX3MJXSEvlTS3ccrGuFs5Y3tVGEtXlCd
9/Y81jRlhXVMnYV0JVEUFatkRxqTRuSWhuM3H4FRV4d7tH71J+tar2NLfPW7qQRH
aM0G7vbZ0qxlkbQmWtDhtdFBv90Il6x2yEWWaayxGuedJktEk8IWsoh9LB11cr7B
iN45F+lVgkdi/zt1Dj372/Cq/ZodNr4s9yG9U/yJGvEod6A/75RW/xmQ6UpGCeXP
OnYkqxFFfW2eezWmXG5uymkC8eVcGB+YD9erHvhcJXigp2sETgasZJuBnbw1CDA8
om+ddh/mqKslo7dcpu3/9CLZcUOLgIBghVgw2Sgt+B/6ccO8Wk33FX2yZ/nMQAV/
t2Qf3PSwRnMRXypzWFOk6kgSu9qd3L==
=N/wZ
-----END PGP MESSAGE-----
Users:
7931a0e9-969a-486f-9e98-71e7f55c2957 Rosemary Thomas
Groups: []
Restricted to team: -
GPG master key ID: 0f2d963d-ebf4-1ca3-7aa2-98dd72fc1db8
Can sign: Yes
Keygrip: FF40107969B86E5A2993DC57HCE5AB9E0A414436
UserIDs:
UID1 () john.doe@example.com
UID2 () jane.doe@example.com
HSM Partition ID: 62648FB1BE6DBD91D96D2CC6CDA2A9D9
HSM Partition Name: Primary SoftHSM Partition
HSM Provider: SoftHSM
HSM Security Level: level_1Example 1:
Description: Describe the GPG keypair referred to by the GPG keypair alias.
Command:
smctl gpg keypair describe <keypair alias>
Command sample:
smctl gpg kp descg pg-subkey
Example 2:
Description: Describe the GPG keypair with the keypair ID:
Command:
smctl gpg keypair describe <keypair ID>
Command sample:
smctl gpg keypair desc 3cf3f4d1-005c-464f-be84-909d87d0ff77
Generate GPG keypair
Generate GPG keypair commands begin with:
smctl gpg keypair generate
or
smctl gpg kp gen
Flags
Shortcut | Flag | Description |
|---|---|---|
--can-sign string | can sign attribute (default | |
--curve string | ECDSA curve name (default "P-256") | |
--gpg-key-type string | GPG key type - | |
--groups string | Assign the keypair o a group by specifying the group ID. | |
--hsm-partition-id string | Provide the HSM partition ID to specify which HSM you want the keypair to be stored on. | |
--key-alg string | key algorithm - | |
--key-size int | RSA key size in bits (default 3072) | |
--key-status string | keypair mode - | |
--key-storage string | keypair storage - | |
--key-type string | key type - | |
--master-gpg-keypair-id string | master GPG Keypair ID. | |
--restricted | Specify "true" to restrict access or "false" to allow all users on this account access to the keypair (default is true). | |
--team-id | Assign the keypair to a team by specifying the team ID. | |
--uids stringArray | Add GPG Master key UID(s). Format: --uids "name=<user_name>,comment=<comment>,email=<user_email_id> | |
--account-id string | Account Id for the user. Format: --account-id="<value>" | |
--users string | Assign the keypair to specific users by specifying their UIDs. | |
-h | --help | Help for keypair. |
Examples
Description: Generate a GPG master key.
Command:
smctl gpg keypair generate <master key alias> --key-alg “<algorithm>” --key-size <RSA key size>|--curve “<ECDSA curve name>” --can-sign “<YES or NO>” --gpg-key-type “MASTER” --uids “name=<name>,email=<email>", “name=<name>,email=<email>"
Command sample:
smctl gpg keypair generate smctl_gpg_master --key-alg "ECDSA" --curve "P256" --can-sign "YES" --gpg-key-type "MASTER" --uids "name=useridsmctl1,email=name@digicert.com name=useridsmctl2,email=name@digicert.com"
Description: Generate a GPG subkey.
Command:
smctl gpg keypair generate <subkey alias> --can-sign "<YES or NO>" --gpg-key-type "SUB" --key-alg “<algorithm>” --key-size < RSA key size in bits> | --curve “<ECDSA curve name>” --key-type "<TEST or PRODUCTION>" --master-gpg-keypair-id "<keypair id for gpg master key>"
Command sample:
smctl gpg keypair generate gpg_smctl_sub1 --can-sign "YES" --gpg-key-type "SUB" --key-alg "RSA" --key-size 3072 --key-type "TEST" --master-gpg-keypair-id "34d08346-7560-48d7-a5db-f6570e704857"
List GPG keypairs
List GPG keypair commands begin with:
smctl gpg keypair list
or
smctl gpg kp ls
Flags
Shortcut | Flag | Description |
|---|---|---|
-f | --filter stringToString | Supported fields: --filter="<value>" |
--page int | Page number. Default is –1, which displays all pages. | |
--size int | Page size. Default is 100. | |
--account-id string | Account ID for the user. Format: --account-id="<value>" | |
-h | --help | Help for list keypairs. |
Example
Description: List all GPG public keys.
Command:
smctl gpg kp list <file path to keyring>
Command sample:
smctl gpg kp list /Users/Name/.gnupg/pubring.gpg
Suspend GPG keypair
The suspend GPG keypair command switches the keypair to offline mode.
Nota
Offline keypairs cannot be used to sign unless brought online.
Suspend GPG keypair commands begin with:
smctl gpg keypair suspend <gpg keypair alias or ID>
or
smctl gpg kp offline <gpg keypair alias or ID>
Example 1:
Description: Switch the keypair referred to using the GPG keypair alias to offline mode.
Command:
smctl gpg keypair suspend <gpg keypair alias>
Command sample:
smctl gpg keypair suspend my-gpg-key
Example 2:
Description: Switch the keypair referred to using the GPG keypair ID to offline mode.
Command:
smctl gpg keypair suspend <gpg keypair ID>
Command sample:
smctl gpg keypair suspend aae21e7d-31e9-4cc0-89fa-63b323a64a56
Unsuspend GPG keypair
The unsuspend GPG keypair command switches the keypair to online mode.
Nota
Offline keypairs cannot be used to sign unless brought online.
Delete GPG keypair commands begin with:
smctl gpg keypair unsuspend <gpg keypair alias or ID>
or
smctl gpg kp online <gpg keypair alias or ID>
Example 1:
Description: Switch the keypair referred to using the GPG keypair alias to online mode.
Command:
smctl gpg keypair unsuspend <gpg keypair alias/id>
Command sample:
smctl gpg keypair unsuspend <gpg keypair alias/id>
Example 2:
Description: Switch the keypair referred to using GPG keypair ID to online mode.
Command:
smctl gpg keypair unsuspend <gpg keypair alias/id>
Command sample:
smctl gpg keypair unsuspend aae21e7d-31e9-4cc0-89fa-63b323a64a56
Update GPG keypair
Update GPG keypair commands begin with:
smctl gpg keypair update <GPG keypair alias or ID>
or
smctl gpg ky edit <GPG keypair alias or ID>
Flags
Shortcut | Flag | Description |
|---|---|---|
--alias string | Specify GPG keypair alias. | |
--can-sign string | Specify if GPG keypair can be used to sign. | |
--key-status string | Set GPG keypair status to online or offline. | |
-uids stringArray | Specify the UIDs for the master key in the following format: "name=<user_name>, comment<comment>,email=<user_email_id>". | |
--account-id string | Provide the account ID for the user. | |
-h | --help | Help with updating GPG keypair. |
Example 1
Description: Change the GPG key alias.
Command:
smctl gpg ky edit <GPG keypair alias or ID> --alias <new key alias>
Command sample:
smctl gpg keypair update master-gpg-key --alias master-gpg-key-changed
Example 2
Description: Remove sign privileges and set key status to offline for GPG key.
Command:
smctl gpg ky edit <GPG keypair alias or ID> --can sign <Yes or No> --key-status=<offline or online>
Command sample:
smctl gpg keypair update master-gpg-key --can-sign No --key-status=OFFLINE
Update access to GPG keypair
Update UIDs of GPG keypairs begin with:
smctl gpg keypair update-access <GPG keypair alias or ID>
or
smctl gpg keypair edit-access <GPG keypair alias or ID>
Flags
Shortcut | Flag | Description |
|---|---|---|
--groups string | Assign the keypair o a group by specifying the group ID. | |
--operation string | Overwrite, add, or remove access. | |
--restricted | Specify true to restrict access or false to allow all users on this account access to the GPG keypair. | |
--team-id string | Assign the keypair to a team by specifying the Team ID. | |
users string | Assign the keypair to specific users by specifying the user IDs. | |
--account-id string | Account ID for the user. | |
-h | --help | Help for updating access to GPG keypairs. |
Example 1
Description: Add a user to the existing user list that manage the GPG keypair.
Command:
smctl gpg keypair update-access <GPG keypair alias or ID> --operation <add or remove or overwrite> --users <user ID>
Command sample:
smctl gpg keypair update-access master-gpg-key --operation add --users 530ef4ed-8db4-4e74-b730-7c5cf2e0cad5
Example 2
Description: Change the GPG key access to open.
Command:
smctl gpg keypair update-access <GPG keypair alias or ID> --restricted=<true or false>
Command sample:
smctl gpg keypair update-access master-gpg-key --restricted=false
Update UIDs of GPG keypair
Update UIDs of GPG keypairs begin with:
smctl gpg keypair update-uids <GPG keypair alias or ID>
or
smctl gpg keypair edit-uids <GPG keypair alias or ID>
Flags
Shortcut | Flag | Description |
|---|---|---|
--operation string | Overwrite, add, or remove access. | |
--uids stringArray | Specify the UIDs for the master key in the following format: <"name=<user_name>,comment:<comment>,email=<user_email_id">. | |
--account-id string | Account ID for the user. | |
-h | --help | Help to update UIDs for GPG keypairs |
Example 1
Description: Remove a UID from a master key.
Command:
smctl gpg keypair update-uids <GPG keypair alias or ID> --operation <overwrite, add or remove>
Command sample:
smctl gpg keypair update-uids master-key2 --uids="name=JohnDoe,email=john.doe@example.com,comment=signing" --operation remove
Example 2
Description: Replace the existing users IDs that manage this GPG key and replace it with the provided user IDs.
Command:
smctl gpg keypair update-uids <GPG keypair alias or ID> --uids=<"name=<user_name>,comment:<comment>,email=<user_email_id"> --uids=<"name=<user_name>,comment:<comment>,email=<user_email_id"> --operation <overwrite, add or remove>
Command sample:
smctl gpg keypair update-uids master-key2 --uids="name=JohnDoe,email=john.doe@example.com,comment=signing" --uids="name=JaneDoe,email=jane.doe@example.com,comment=signing" --operation overwrite
Download GPG keyring
Download GPG keyring commands begin with:
smctl gpg keyring download
or
smctl gpg kr save
Flags
Use one of the following flags to set parameters when using the download certificate subcommand:
Shortcut | Flag | Description |
|---|---|---|
-f | --file-path string | Specify keyring file path (default "C:\\Users\\Name\\AppData\\Roaming\\gnupg\\pubring.gpg"). The private key will not be downloaded. Format: --format="<value>" |
-h | --help | Help for download. |
Example
Description: Download the keyring with the one or more master key. All subkeys and user IDs associated to the master keys you have selected will automatically be added to the keyring.
Command:
smctl gpg keyring download <a master key alias> <another master key alias>
Command sample:
smctl gpg keyring download a-master-key1 a-master-key2