In what scenarios is PGP Command Line the right PGP product to deploy?
PGP Command Line is ideally suited to batch-processing environments on mainframe systems requiring security for confidential information in transit, in storage, and for backup. Other PGP solutions are targeted at providing enterprise email and desktop storage security. For server-based or end-user applications that are not script-based, PGP Corporation offers its PGP Software Development Kit (SDK) to provide encryption functionality that can be compiled natively into the application.
I already use a secure protocol to transfer documents between locations. Am I secure?
Secure protocols, such as SSH or FTP over SSL, only secure data while it is in transit between locations; however, once a file arrives at a location, it is vulnerable to local users who have access to the file system. Hence, secure protocols fail to provide end-to-end security. PGP Command Line ensures that data is protected not only in transit over the network, but also in storage at either end of the network connection. By keeping data in an encrypted and signed form while in storage, PGP Command Line ensures only authorized access to sensitive information and that data can be verified for authenticity later. PGP Command Line also enables permanent signatures to be attached to the data, something not possible with a transport layer protocol even though the protocol may perform data integrity checks while the data is in transit.
Is PGP Command Line the same as the PGP SDK?
The PGP SDK is a different product from PGP Command Line. The PGP SDK is a Software Development Kit library that provides the cryptographic functionality used by all PGP products, including PGP Command Line. The PGP SDK requires users to be able to write code in C/C++ and compile the code into an application. PGP Command Line is built on top of the PGP SDK and provides end users with a command line-based interface they can use to perform encryption operations on files without any programming knowledge.
Does PGP Command Line include a license to the PGP SDK that I can use to include encryption functionality in my own (compiled) application?
No. The PGP SDK is available separately for applications that require encryption functionality that can be compiled into the application.
Can I use PGP Command Line to build an email encryption solution for my company?
PGP Corporation has developed the PGP Universal product line to address the information security needs of enterprise email users, providing a full-featured, transparent, policy-driven, secure-messaging platform. PGP Corporation and its channel partners will disqualify customers whose intended application for PGP Command Line is to build an enterprise encryption email server and direct them to PGP Universal instead. PGP Corporation will not disqualify those customers interested in using PGP Command Line to plug into email clients such as mutt, elm, pine, or kMail to provide encryption functionality.
PGP Command Line sounds very similar to products from other encryption software developers. What makes PGP Command Line unique?
PGP Command Line is built on a proven cryptographic engine, the PGP SDK, developed by many of the individuals behind the original PGP technology and the OpenPGP standard. The PGP SDK 3.0.3 is FIPS 140-2 validated, providing demonstrable proof of the maturity of the technology to organizations with demanding security needs. Most competing products have never undergone FIPS validation and unlike PGP Corporation, these vendors do not release their product source code publicly for peer review. PGP Command Line is also available for a broad range of Windows and UNIX operating systems in addition to the IBM iSeries and IBM zSeries platforms.
Furthermore, PGP Command Line offers patented Additional Decryption Key (ADK) functionality that allows organizations to ensure all messages are encrypted to an ADK, enabling future recovery of encrypted data, according to corporate policy. Each time a message is encrypted to a key, that message is also encrypted to the ADK. In the event a key is lost or unavailable, or access to encrypted data is required by corporate policy or regulations, organizations can use the ADK to decrypt the message and recover the encrypted data, thus reducing the likelihood of important data loss.
What general functions does PGP Command Line perform?
PGP Command Line performs file-based encryption and decryption to ensure confidentiality of sensitive data, and creates and verifies digital signatures to ensure message integrity and provide proof of the origin of data. In addition, PGP Command Line provides key management functionality to allow a user to create new keys, sign partner keys, and interact with keyservers to find partner keys.
What are the key features of PGP Command Line?
PGP Command Line enables organizations to automate protection of sensitive consumer and business information, securing it for local storage, transfer over the Internet, or backup and transfer to offsite storage. In addition to support for OpenPGP and X.509 key formats, encryption, digital signing, compression, and secure wiping capabilities, PGP Command Line also provides patented Additional Decryption Key (ADK) technology, enabling authorized access to encrypted data in the event of key loss, according to corporate policy.
Key features of PGP Command Line include the following:
- OpenPGP/X.509 key management
- Create, import, export, sign, & check validity of keys
- Keyring management
- Adding, removing, & searching for keys
- PGP Keyserver support
- Send, search for, & receive keys from a keyserver
- Encryption & authentication
- Encrypt, decrypt, sign, & verify data
- Additional Decryption Key (ADK) support
- Encrypt all messages to an ADK to allow authorized access in the event a user's key is lost or unavailable, according to corporate policy
- Self-Decrypting Archive (SDA) support
- Allows an organization to create encrypted archives packaged as executables that enable a recipient without PGP Command Line to decrypt the encrypted message using only a passphrase
- Key reconstruction support
- When used in conjunction with a PGP Universal Server, PGP Command Line can be used to securely store a backup of a private key to protect against loss of either the private key or the passphrase used to protect the private key
- Key splitting support
- Private keys can be split into multiple shares, requiring a specified number of keyshare holders to authorize a signing or decryption operation
- Creation of compressed and encrypted Self-Decrypting Archives (SDAs) holding multiple files per archive
- Secure file deletion
- Automation of tasks using mainframe batch control interfaces and scripting languages:
- IBM z/OS: JCL and other batch control interfaces
- IBM i/OS: CL other batch control interfaces
- Linux: Shell scripts, PERL, and other scripting languages
Is there a limit on the size of file I can encrypt using PGP Command Line?
PGP Command Line does not restrict the size of file that can be encrypted. However, to successfully encrypt a large file, the system on which the file is being encrypted will require enough free disk space to hold both the original file and the encrypted file, which can be as large as the original file, depending on the compression used during encryption. In cases where PGP Zip is used to encrypt a number of files and folders and maintain the directory structure, PGP Command Line will require enough free disk space to hold the original files, the encrypted file, and a temporary file used during the creation of the compressed archive of the original files. This temporary file can be as large as the original file, depending on the compression scheme used.
Does PGP Command Line support key reconstruction?
Yes. PGP Command Line supports uploading key reconstruction information to a PGP Universal 2.0 Server to use at a later time to reconstruct a private key in the event it is lost or the user forgets the key's passphrase.
What is key reconstruction?
Key reconstruction is a mechanism to securely archive a private key on a PGP Universal 2.0 Server. A user's private key is used to decrypt files encrypted to the public key as well as to digitally sign files. Normally, a user's private key is stored on his/her machine and protected by a passphrase; in the event the user looses his/her private key or forgets the passphrase, the user will no longer be able to decrypted files encrypted to the public key.
Key reconstruction protects against loss of the private key or the passphrase by allowing the user to store a copy of the private key on a PGP Universal 2.0 Server. The user specifies a number of questions and answers; PGP Command Line splits the private key and protects it using the answers prior to storing it on the PGP Universal 2.0 Server. The user can subsequently retrieve the private key using PGP Command Line by providing the correct answers to the security questions, thereby reconstructing the private key.
Does PGP Command Line support Self-Decrypting Archives (SDAs)?
Yes. PGP Command Line supports creation of SDAs for any of the supported Windows and UNIX server platforms. Please refer to PGP Command Line for server platforms for more information on supported platforms.
What are Self-Decrypting Archives?
A Self-Decrypting Archive (SDA) is an executable containing a file that has been encrypted using a passphrase. A recipient of an SDA runs the executable and enters the passphrase to decrypt the file. SDAs are especially useful when the sender must send an encrypted file to a recipient who does not have PGP software installed. Creating an SDA requires the sender to know the recipient's platform because SDA executables are platform-specific. An SDA can also be encrypted to an Additional Decryption Key (ADK) to allow corporate access to the encrypted data, according to policy, should the sender or recipient loose the passphrase required to decrypt the file.
Does PGP Command Line include an FTP client?
Most modern operating systems include a command line FTP client suitable for automating data transfers using Windows batch files or UNIX Shell Scripts. The same scripts used to automate PGP Command Line functionality can be used to automate data transfers using these built-in FTP clients, eliminating the need for PGP Command Line to provide an FTP client. By allowing organizations to use their preferred transport mechanism in this manner, PGP Command Line provides maximum deployment flexibility and allows re-use of existing data transport investments.
What file transport protocols does PGP Command Line support?
PGP Command Line secures files and therefore does not need to support any specific file transport protocols. Once a file has been encrypted using PGP Command Line, the encrypted file can be transferred using any existing transport mechanism, such as FTP or FTPS, providing maximum deployment flexibility.
Can PGP Command Line be used to secure existing backup processes?
Yes. PGP Command Line scripts can easily be added to existing backup processes. Using existing backup software and hardware, PGP Command Line scripts can be triggered to encrypt files before backup. Common backup applications for PGP Command Line include near-term disk-to-disk backup and archival storage on tape.
What backup software or hardware does PGP Command Line require?
PGP Command Line does not require a specific vendor's backup software or hardware. Instead, PGP Command Line scripts are triggered by backup software to encrypt files. This approach allows organizations to use their existing backup software and hardware to manage storage systems and read/write backups to archival media, while adding encryption to secure sensitive data.
Does PGP Command Line include backup automation software?
PGP Command Line is designed to be independent of backup software and does not include its own backup automation software. Customers can integrate PGP Command Line with existing software and hardware backup systems. If an organization deploys new backup hardware or software, PGP Command Line can be integrated into new processes to continue securing backups.
When used for backup encryption, will PGP Command Line-encrypted backups be accessible in the future?
PGP Command Line uses OpenPGP encryption, the standard encryption protocol used by organizations worldwide for more than a decade to secure confidential data. In addition, PGP Corporation continues to publish its source code for peer review and independent testing by leading security experts. PGP Command Line includes support for key reconstruction, key splitting, Additional Decryption Keys (ADKs), and Self-Decrypting Archives (SDAs)-all options that enhance long-term key management. With standards-based encryption, tested source code, and advanced key management options, PGP Command Line-encrypted files are prepared for long-term accessibility.
Can PGP Command Line remove temporary files generated for transfer or backup preparation?
Yes. PGP Command Line includes secure file deletion capabilities that exceeds military requirements. When integrated into network-transfer or backup processes, PGP Command Line can overwrite temporary files generated and erase unencrypted input files. This functionality reduces the risk of temporary files being compromised after a network transfer or backup process.
Which platforms does PGP Command Line currently support?
PGP Command Line currently supports the following platforms and operating systems:
- IBM zSeries running:
- IBM z/OS 1.6
- SUSE Linux Enterprise Server 9.0
- Red Hat Enterprise Linux 4.0
- IBM iSeries running:
- IBM i5/OS V5R3
- IBM OS/400 V5R1
- SUSE Linux Enterprise Server 9.0
- Red Hat Enterprise Linux 4.0
More information on supported Windows and UNIX platforms is available here.
What are the minimum and recommended system requirements for running PGP Command Line?
PGP Command Line runs on the hardware configuration recommended by the operating system manufacturer. Consult the operating system's user guide for minimum and recommended system requirements.
For which platforms does PGP Command Line support creation of Self-Decrypting Archives?
PGP Command Line for mainframe platforms supports the creation of SDAs for any of the supported Windows and UNIX platforms (more information on server platform support is available here). PGP Command Line does not support the creation of SDAs for execution on mainframe systems. A user of PGP Command Line can specify any of the supported target platforms for the SDA executable. However, creating an SDA requires the sender to know the recipient's platform because SDA executables are platform-specific.
Does PGP Command Line interoperate with other PGP products?
Yes. PGP Command Line is based on the same cryptographic library that provides the core encryption functionality for all PGP products: the PGP Software Development Kit (SDK). The PGP SDK is compliant with the OpenPGP standard, ensuring that messages encrypted using PGP Command Line can be read across all PGP products and platforms.
Does the recipient of files encrypted with PGP Command Line also require a copy of PGP Command Line?
Because PGP Command Line uses OpenPGP-compliant message formatting, recipients of files encrypted or signed using PGP Command Line require software capable of handling OpenPGP messages, such as PGP Command Line, PGP Desktop, or PGP Universal. PGP Command Line also supports creation of Self-Decrypting Archives (SDAs), compressed and encrypted archives packaged as executables that require only a passphrase to decrypt. Organizations can use SDAs to securely transfer data to recipients who do not have OpenPGP-compatible software installed. PGP Command Line for mainframe operating systems creates SDA executables for server platforms supported by PGP Command Line. Please refer to PGP Command Line for server platforms for more information on supported platforms.
Is PGP Command Line compatible with PGP keys created using an older version of PGP Command Line or other OpenPGP-compatible products?
Yes. PGP Command Line supports the newer RSA v4 keys, RSA v4 sign-only keys, DH/DSS v4 keys, and DH/DSS v4 sign-only keys as well as legacy RSA v3 keys.
Is PGP Command Line command-compatible with the McAfee� E-Business Server?
The PGP development team has provided as much compatibility as possible while improving the design to streamline the user interface, reduce prompting, and enable simpler scripting that will ease future maintenance. Although some migration work will be required for PGP Command Line to interoperate with existing solutions built using McAfee's E-Business Server, this work should be minor and easily accomplished using the migration guidelines accompanying PGP Command Line.
Can PGP Command Line interact with keyservers to obtain or distribute keys?
Yes. PGP Command Line supports uploading and downloading keys from keyservers and searching for keys over LDAP. By using a keyserver to host keys, an organization can manage a large number of partner keys in a central location and use PGP Command Line to retrieve the latest key from the keyserver, as required.
What are the minimum and maximum key sizes supported by PGP Command Line?
The maximum size of key supported by PGP Command depends on the type of key:
- RSA v4: 1024 to 4096 bits
- RSA v4 sign-only: 1024 to 4096 bits
- DH/DSS v4: 1024 to 4096 bits
- DH/DSS v4 sign-only: 1024 bits
- RSA v3 (legacy): 1024 to 2048 bits
How is PGP Command Line deployed?
PGP Command Line is installed on an existing mainframe system where information is being processed. Once installed, batch control interfaces or scripts written using Shell scripts or other scripting languages can call on PGP Command Line to perform encryption, decryption, signing, and verification operations on files as part of existing data transfer, file processing, or backup automation scripts.
Do I need a programmer/software developer to integrate PGP Command Line?
Existing systems administrators responsible for managing batch control interfaces and scripts used to automate data transfers, file processing, and backup procedures should be able to easily incorporate PGP Command Line as they would any other command line tool.
How is PGP Command Line distributed?
PGP Command Line is available from a PGP authorized reseller.
Are development and failover licenses available for PGP Command Line?
Yes. Licenses for development purposes or for a backup system in the event of a failure on the main production system are available separately from PGP Command Line runtime licenses.
How can I upgrade my version of PGP Command Line?
Please click on the following link to contact a PGP sales representative and learn whether you qualify for a free upgrade to the latest version of PGP Command Line: http://www.pgp.com/company/contactsales.html
Do you publish source code for PGP Command Line?
Yes. As with other PGP products, PGP Corporation makes the source code for PGP Command Line publicly available for inspection and peer review. |
