-
Notifications
You must be signed in to change notification settings - Fork 11
/
paperkey.1
167 lines (167 loc) · 6.8 KB
/
paperkey.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
.\" paperkey manpage copyright (C) 2007, 2012, 2013 Peter Palfrader <[email protected]>
.\" Examples have been taken from David Shaw's README.
.\"
.\" This document is free software; you can redistribute it and/or modify
.\" it under the terms of the GNU General Public License as published by
.\" the Free Software Foundation; either version 2 of the License, or
.\" (at your option) any later version.
.\"
.\" This document is distributed in the hope that it will be useful,
.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
.\" GNU General Public License for more details.
.\"
.\" You should have received a copy of the GNU General Public License
.\" along with this program; if not, write to the Free Software
.\" Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
.\" MA 02110-1301 USA
.\"
.\"
.\" paperkey, the software, is written and
.\" copyright 2007, 2008 David Shaw <[email protected]>
.TH PAPERKEY 1 "June 2012" "PAPERKEY"
.SH NAME
paperkey \- extract secret information out of OpenPGP secret keys
.SH SYNOPSIS
.B paperkey\fR
[\fB\-\-secret\-key=\fR\fIFILE\fR]
[\fB\-\-output=\fR\fIFILE\fR]
[\fB\-\-output\-type=\fR\fBbase16\fR|\fBraw\fR]
[\fB\-\-output\-width=\fR\fIWIDTH\fR]
.LP
.B paperkey\fR
\fB\-\-pubring=\fR\fIFILE\fR
[\fB\-\-secrets=\fR\fIFILE\fR]
[\fB\-\-input\-type=\fR\fBauto\fR|\fBbase16\fR|\fBraw\fR]
[\fB\-\-output=\fR\fIFILE\fR]
[\fB\-\-ignore\-crc\-error\fR]
[\fB\-\-comment=\fR\fISTRING\fR]
[\fB\-\-file\-format\fR]
.LP
.B paperkey\fR \fB\-\-version\fR
.SH MOTIVATION
As with all data, secret keys should be backed up. In fact, secret
keys should be backed up even better than other data, because they are
impossible to recreate should they ever be lost. All files encrypted
to lost keys are forever (or at least for a long time) undecipherable.
In addition to keeping backups of secret key information on digital
media such as USB-sticks or CDs it is reasonable to keep an
if-all-else-fails copy on plain old paper, for use should your digital
media ever become unreadable for whatever reason. Stored properly,
paper is able to keep information for several decades or longer.
.PP
With GnuPG, PGP, or other OpenPGP implementations the secret key
usually contains a lot more than just the secret numbers that are
important. They also hold all the public values of key pairs, user
ids, expiration times and more. In order to minimize the information
that has to be entered manually or with the help of OCR, QR code or
similar software, \fBpaperkey\fR extracts just the secret information
out of OpenPGP secret keys. For recovering a secret key it is assumed
that the public key is still available, for instance from public
Internet keyservers.
.SH DESCRIPTION
\fBpaperkey\fR has two modes of operation:
.PP
The first mode creates "paperkeys" by extracting just the secret
information from a secret key, formatting the data in a way suitable
for printing or in a raw mode for further processing.
.PP
The other mode rebuilds secret keys from such a paperkey and a copy of
the public key, also verifying the checksums embedded in the paperkey.
This mode is selected when the \fB\-\-pubring\fR option is used, which
is required in that case. If a passphrase was set on the original
secret key, the same passphrase is set on the rebuilt key.
.PP
Input is read from standard\-in except when the \fB\-\-secret\-key\fR or
\fB\-\-secrets\fR option is used; output is printed to standard\-out,
unless changed with the \fB\-\-output\fR option.
.SH SECURITY CONSIDERATIONS
Please note that \fBpaperkey\fR does not change the protection and
encryption status of and security requirements for storing your secret
key. If the secret key was protected by a passphrase so is the
paperkey. If the secret key was unprotected the paperkey will not be
protected either.
.SH OPTIONS
\fB\-\-help\fR, \fB\-h\fR
Display a short help message and exit successfully.
.LP
.TP
\fB\-\-version\fR, \fB\-V\fR
Print version information and copyright information and exit successfully.
.LP
.TP
\fB\-\-verbose\fR, \fB\-v\fR
Print status and progress information to standard\-error while processing
the input. Repeat for even more output.
.LP
.TP
\fB\-\-output=\fR\fIFILE\fR, \fB\-o\fR
Redirect output to the file given instead of printing to standard\-output.
.LP
.TP
\fB\-\-comment=\fR\fISTRING\fR
Include the specified comment in the base16 output.
.LP
.TP
\fB\-\-file\-format\fR
Paperkey automatically includes the file format it uses as comments at
the top of the base16 output. This command simply prints out the file
format and exits successfully.
.SH OPTIONS FOR EXTRACTING SECRET INFORMATION
.TP
\fB\-\-output\-type=base16\fR, \fB\-\-output\-type=raw\fR
Select the output type. The base16 style encodes the information in
the style of a classic hex-dump, including line numbers and per-line
CRC checksums to facilitate localizing errors in the input file during
the recovery phase. The raw, or binary, mode is just a raw dump of
the secret information, intended for feeding to barcode generators or
the like.
.LP
.TP
\fB\-\-output\-width=\fR\fIWIDTH\fR
Choose line width in the base16 output mode. The default is 78 characters.
.LP
.TP
\fB\-\-secret\-key=\fR\fIFILE\fR
File to read the secret key from. If this option is not given \fBpaperkey\fR
reads from standard\-input.
.SH OPTIONS FOR RE-CREATING PRIVATE KEYS
.TP
\fB\-\-input\-type=auto\fR, \fB\-\-input\-type=base16\fR, \fB\-\-input\-type=raw\fR
Specify that the given input is either in base16 format, as produced
by \fBpaperkey\fR, or in raw format. The default, auto, tries to
automatically detect the format in use.
.LP
.TP
\fB\-\-pubring=\fR\fIFILE\fR
File to read public key information from. It is assumed that the user can
get the public key from sources like public Internet keyservers.
.LP
.TP
\fB\-\-secrets=\fR\fIFILE\fR
File to read the extracted secrets, the paperkey, from. If this is not given
then the information is read from standard\-input.
.LP
.TP
\fB\-\-ignore\-crc\-error\fR
Do not reject corrupt input and continue despite any CRC errors.
.SH EXAMPLES
Take the secret key in key.gpg and generate a text file
to\-be\-printed.txt that contains the secret data:
.PP
.B $ paperkey \-\-secret\-key my\-secret\-key.gpg \-\-output to\-be\-printed.txt
.PP
Take the secret key data in my\-key\-text\-file.txt and combine it with
my\-public\-key.gpg to reconstruct my\-secret\-key.gpg:
.PP
.B $ paperkey \-\-pubring my\-public\-key.gpg \-\-secrets my\-key\-text\-file.txt \-\-output my\-secret\-key.gpg
.PP
If \-\-output is not specified, the output goes to stdout. If \-\-secret\-key is
not specified, the data is read from stdin so you can do things like:
.PP
.B $ gpg \-\-export\-secret\-key my\-key | paperkey | lpr
.SH SEE ALSO
.BR gpg (1),
.BR http://www.jabberwocky.com/software/paperkey/
.SH AUTHORS
\fBpaperkey\fR is written by David Shaw <[email protected]>.