PGP Command Line for Servers

Overview

Data transfer and processing systems are at the heart of every organization, exchanging large volumes of information between internal systems, suppliers, and customers. However, legacy data transfer systems are especially prone to security breaches, because traditional file transfer and email protocols have no built-in security.

For organizations that need to securely exchange large volumes of information, PGP® Command Line can protect business-critical data easily and with little impact on existing systems. PGP Command Line can also be used to protect large volumes of information stored on servers from unauthorized access.

• Trusted data transactions–Secures data in back-end systems to ensure confidentiality and authenticity in transactions.
• Fast and flexible deployment–Integrates easily into new and legacy business processes.
• Comprehensive protection–Secures data in transit and at rest.
• Enterprise standard–Leverages a common encryption application across enterprise systems.

As a PGP® Encryption Platform–enabled application, PGP Command Line leverages keys managed by PGP Universal™ Server, expediting deployment and systems management. PGP Command Line can be used in combination with other PGP® encryption solutions to provide multiple layers of security.

Technical Specifications

Supported Operating Systems

• Windows® Vista (all 32-bit and 64-bit editions)
• Windows Server 2008
• Windows Server 2003
• Windows XP (32-bit and 64-bit editions)
• Windows 2000 (SP4)
• HP-UX 11i or above (PA-RISC and Itanium)
• IBM® AIX® 5.2, 5.3 and 6.1
  
• Red Hat® Enterprise Linux® 3.0 or above (x86 and x86_64)
• SuSe Linux Enterprise 9.0 and above (x86)
• Sun Solaris™ 9 (SPARC only) and 10 (SPARC, x86, and x86_64)
• Fedora Core 6 and above (x86_64 only)
• Apple® Mac OS X 10.4 and 10.5 (Universal Binary)

Public Key Formats

• OpenPGP (RFC 4880)
• X.509 v3

Directory Servers

• LDAP
• PGP Universal™ Server
• PGP® Global Directory

Symmetric Key Algorithms

• AES (up to 256-bit keys)
• CAST5
• TripleDES
• IDEA
• Twofish
• Blowfish*
• Arc4 (128-bit keys)

Hashes

• SHA-1, SHA-256, SHA-384, SHA-512
• MD5
• RIPEMD-160

Public Key Algorithms

• Diffie-Hellman (up to 4096-bit keys)
• DSA (1024-bit keys only, verification up to 3072 bits)
• RSA (up to 4096-bit keys)

Compression Algorithms

• Zip
• BZip2
• ZLib

*Support for Blowfish is limited to decrypting existing messages encrypted with Blowfish or encrypting to existing keys that specify Blowfish as the preferred cipher.

FAQ

General

What is PGP Command Line and why is it important?

Built on a proven cryptographic engine, PGP Command Line is an enterprise-grade server file encryption tool that easily integrates into existing business processes. Customer data, financial transactions, and sensitive supply chain information are transferred, processed, and stored on servers. PGP Command Line allows organizations to quickly secure new and existing business processes using standards-based encryption without burdening administrators.

What business problem does PGP Command Line solve?

Businesses are increasingly compelled to meet audit, industry, and government information security requirements. Servers create, store, process, and back up some of an organization's most sensitive data. PGP Command Line enables application and system administrators to quickly secure data for use inside the organization and beyond to business partners without learning a new programming language.

What are the key benefits of PGP Command Line?

PGP Command Line helps businesses to do the following:

• Protect data instead of writing code–Systems administrators can use scripting skills to quickly add encryption to new or existing processes instead of spending time writing new programming code.
• Retain corporate access and data retention–In the event of key loss or as required by regulatory mandates, PGP Command Line ensures confidential information is available when needed—a policy requirement in many organizations—using patented PGP® Additional Decryption Key (ADK) technology.
• Secure partner and supply chain networks–With broad platform support and standards-based OpenPGP encryption, PGP Command Line allows organizations to quickly secure new and existing business processes.

How does PGP Command Line work?

PGP Command Line performs file-based encryption and decryption to ensure confidentiality of sensitive data and creates and verifies digital signatures to ensure message integrity and provide proof of the origin of data. In addition, PGP Command Line provides key management functionality to allow a user to create new keys, sign partner keys, and interact with directories and keyservers to find partner keys. PGP Command Line is a command line application that can easily be integrated with existing processes using scripting tools such as Shell Scripts, Perl, and Windows batch files.

What is the end-user experience with PGP Command Line?

PGP Command Line is integrated into automated or batch processes without the need for an end-user interface. Administrators can use existing scripting skills to automate PGP Command Line operations.

What’s new in PGP Command Line?

PGP Command Line provides the following new features:

• New platform support–Adds support for Windows Server 2008 and SuSe Linux Enterprise 9.0 and above

What languages (localization) does PGP Command Line support?

PGP Command Line scripting functions and documentation are provided in English.

Is the source code available for download?

Yes. To validate the integrity of its products, PGP Corporation releases all product source code, including PGP Command Line, for peer review. For more information, see PGP® Source Code.

How does the PGP Command Line fit into the PGP Encryption Platform?

PGP Command Line leverages the PGP Encryption Platform key management functionality and is PGP ® Zip file format–compatible with other PGP Encryption Platform–enabled applications.

Technical

How is PGP Command Line deployed?

PGP Command Line is installed on an existing server where information is being batch-processed. Once installed, existing scripts written using Microsoft® Windows® batch files, UNIX Shell Scripts, or other scripting languages can call on PGP Command Line to perform encryption, decryption, signing, and verification operations on files as part of existing data transfer or backup automation scripts.

Do I need a programmer/software developer to integrate PGP Command Line?

Existing IT staff members responsible for administering scripts used to automate batch processes and backup procedures should be able to easily incorporate PGP Command Line as they would any other command line tool.

What operating systems are supported?

PGP Command Line is supported on the following operating systems:

• Microsoft Windows
• HP-UX
• IBM® AIX®
• Red Hat® Enterprise Linux
• SuSe Linux Enterprise
• Sun Solaris
• Apple Mac OS X

For full details on operating system and version compatibility, see PGP Command Line Technical Specifications. Mainframe and mid-range platform support is also available with PGP Command Line for IBM Power Systems® and IBM Mainframe®.

Is there a limit on the size of file PGP Command Line can encrypt?

PGP Command Line does not restrict the size of file that can be encrypted. To successfully encrypt a large file, however, the system on which the file is being encrypted will require enough free disk space to hold both the original file and the encrypted file, which can be as large as the original file, depending on the compression scheme used during encryption. In cases where PGP Zip is used to encrypt a number of files and folders and maintain the directory structure, PGP Command Line will require enough free disk space to hold the original files, the encrypted file, and a temporary file used during the creation of the compressed archive of the original files. This temporary file can be as large as the original file, depending on the compression scheme used.

Does PGP Command Line support key reconstruction?

Yes. PGP Command Line supports uploading key reconstruction information to PGP Universal™ Server to use at a later time to reconstruct a private key in the event it is lost or the user forgets the key’s passphrase.

What is key reconstruction?

Key reconstruction is a mechanism to securely archive a private key on PGP Universal Server. A user’s private key is used to decrypt files encrypted to the public key as well as to digitally sign files. Normally, a user’s private key is stored on the user’s machine and protected by a passphrase. In the event the user looses the private key or forgets the passphrase, he/she will no longer be able to decrypt files encrypted to the public key. Key reconstruction protects against loss of the private key or the passphrase by allowing the user to store a copy of the private key on PGP Universal Server. The user specifies a number of questions and answers required to reconstruct the key. PGP Command Line then splits the private key and protects it using the answers prior to storing it on PGP Universal Server. The user can subsequently retrieve the private key using PGP Command Line by providing the correct answers to the security questions, thereby reconstructing the private key.

Does PGP Command Line support Self-Decrypting Archives (SDAs)?

Yes. PGP Command Line supports creation of SDAs for any of the supported platforms.

What are Self-Decrypting Archives (SDAs)?

A Self-Decrypting Archive (SDA) is an executable containing a file that has been encrypted using a passphrase. A recipient of an SDA runs the executable and enters the passphrase to decrypt the file. SDAs are especially useful when the user must send an encrypted file to a recipient who does not have PGP software installed. Creating an SDA requires the sender to know the recipient’s platform because SDA executables are platform-specific. An SDA can also be encrypted to an Additional Decryption Key (ADK) to allow corporate access to the encrypted data (according to policy), should the sender or recipient loose the passphrase required to decrypt the file.

Does PGP Command Line include an FTP client?

Most modern operating systems include a command line FTP client suitable for automating data transfers using Windows batch files or UNIX Shell Scripts. The same scripts used to automate PGP Command Line functionality can be used to automate data transfers using these built-in FTP clients, eliminating the need for PGP Command Line to provide an FTP client of its own. By allowing organizations to use their preferred transport mechanism, PGP Command Line provides maximum deployment flexibility and allows re-use of existing data transport investments.

What file transport protocols are supported?

PGP Command Line secures files and therefore does not need to support specific file transport protocols. Once a file has been encrypted using PGP Command Line, the encrypted file can be transferred using any existing transport mechanism, such as FTP or FTPS, providing maximum deployment flexibility.

Interoperability

Does PGP Command Line interoperate with other PGP products?

Yes. PGP Command Line is based on the same cryptographic library that provides the core encryption functionality for all PGP® products: the PGP® Software Development Kit (SDK). The PGP SDK is compliant with the OpenPGP standard, ensuring that messages encrypted using PGP Command Line can be read across all PGP products and platforms.

Does the recipient of files encrypted with PGP Command Line also require a copy of PGP Command Line?

Because PGP Command Line uses OpenPGP-compliant message formatting, recipients of files encrypted or signed using PGP Command Line require software capable of handling OpenPGP messages, such as PGP Command Line, PGP® Desktop, or PGP Universal solutions. PGP Command Line also supports creation of Self-Decrypting Archives (SDAs), compressed and encrypted archives packaged as executables that require only a passphrase to decrypt. Organizations can use SDAs to securely transfer data to recipients who do not have OpenPGP-compatible software installed.

Can PGP Command Line be used to secure existing backup processes?

Yes. PGP Command Line scripts can easily be added to existing backup processes. Using existing backup software and hardware, PGP Command Line scripts can be triggered to encrypt files before backup. Common backup applications for PGP Command Line include near-term disk-to-disk backup and archival storage on tape.

What backup software or hardware does PGP Command Line require?

PGP Command Line does not require a specific vendor’s backup software or hardware. Instead, PGP Command Line scripts are triggered by backup software to encrypt files. This approach allows organizations to use their existing backup software and hardware to manage storage systems and read/write backups to archival media while adding encryption to secure sensitive data.

Is PGP Command Line compatible with PGP keys created using an older version of PGP Command Line or other OpenPGP-compatible products?

Yes. PGP Command Line supports the newer RSA v4 keys, RSA v4 sign-only keys, DH/DSS v4 keys, and DH/DSS v4 sign-only keys, as well as legacy RSA v3 keys.

Is PGP Command Line command-compatible with the McAfee E-Business Server?

The PGP development team has provided as much compatibility as possible while improving the design of PGP Command Line to streamline the user interface, reduce prompting, and enable simpler scripting that eases future maintenance. Although users will need to do some migration work for PGP Command Line to interoperate with existing solutions built using McAfee E-Business Server, this work should be minor and easily accomplished using the migration guidelines accompanying PGP Command Line.

Can PGP Command Line interact with keyservers to obtain or distribute keys?

Yes. PGP Command Line supports uploading and downloading of keys from keyservers plus searching for keys over LDAP. By using a keyserver to host keys, an organization can manage a large number of keys in a central location and use PGP Command Line to retrieve the latest keys from the keyserver, as required.

What are the minimum and maximum key sizes supported?

The maximum key size supported by PGP Command depends on the type of key:

Where can I find release notes and other product-related documentation?

Release Notes and Quick Start Guides are available at http://support.pgp.com/?faq=589. In addition, customers with a current support contract can download User, Administrator, and Developer Guides from the same link.

• RSA v4: 1024–4096 bits
• RSA v4 sign-only: 1024–4096 bits
• DH/DSS v4: 1024–4096 bits
• DJDSS v4 sign-only: 1024 bits
• RSA v3 (legacy): 1024–2048 bits

Features

PGP® Command Line 9.0 expands on the feature set of PGP Command Line 8.5 by adding support for mainframe platforms, improved key-management capabilities, and greater ease in securing backup data and communications. PGP Command Line offers a variety of features that benefit information security managers and IT administration staff:

Automated services, seamless integration

PGP Command Line protects confidential information no matter where it resides. PGP Command Line can be deployed in minutes, not months.

• Straightforward integration of encryption eases security into existing backup and batch processing setups.
• Automation of security processes creates dependable, consistent implementation of security policies.
• Compatibility with common mainframe batch control interfaces and scripting languages simplifies integration:
• IBM z/OS: JCL and other batch control interfaces
• IBMi : CL other batch control interfaces
• Linux: Shell scripts, Perl, and other scripting languages
• Secure file deletion prevents reconstruction of sensitive, unencrypted data.

Standard-based and standards-compatible

PGP Command Line works in any infrastructure, shares data across platforms and partners, and leverages existing security investments.

• Support for OpenPGP (RFC 2440) keys and X.509 certificates ensures interoperability.
• Support for data-compression technologies such as Zip, BZip2, and Zlib reduces data-transfer times.
• Support for key retrieval and update from existing PGP keyservers maintains the value of existing security investments.
• Use of key infrastructures already in place to secure electronic mail minimizes administrative overhead.

Assured access

PGP Command Line makes sure business continuity is not at risk when keys are lost or stolen.

• Patented Additional Decryption Key (ADK) technology ensures corporate access to encrypted date, according to corporate security policy, if keys are lost, keyholders are unavailable or unwilling to make keys available, or if regulatory mandates demand access to sensitive data.

Proven encryption

PGP Command Line secures data on a proven, industry-standard platform. PGP Command Line 9.0 makes it possible for organizations to comply with regulatory or business security mandates.

• Building on the mature, proven PGP® Software Development Kit (SDK) used by thousands of global organizations results in encryption that can be trusted.
• PGP® source code has survived more than a decade of intense review by the world's best cryptographers, resulting in encryption that can be trusted.
• Support for CAST5, TripleDES, IDEA, Twofish, and AES (up to 256-bit keys) means the most important symmetric key algorithms can be accommodated.
• Support for Diffie-Hellman, DSA, and RSA (up to 4,096-bit keys) means the most important public key algorithms can be accommodated.
• Support for SHA-1, SHA-256, SHA-512, MD5, and RIPEMD-160 means the most important secure-hash algorithms can be accommodated.