Table of Contents
- CLI Reference (rpg)
- Invocation
- Keyring password resolution
- Input and output
- Crypto operations
- --symmetric / -c — symmetric encrypt
- --encrypt / -e — asymmetric encrypt
- --encrypt --sign — sign-then-encrypt
- --decrypt / -d — decrypt
- Signing
- --sign / -s — binary sign
- --clearsign — clear-sign
- --detach-sign / -b — detached signature
- --verify — verify
- Format
- Key management
- --gen-key — generate keys
- --list-keys / -k — list all identities
- --list-secret-keys / -K — list own identities
- --fingerprint — show fingerprint
- --export — export public identity
- --export-secret-keys — export full identity
- --import — import identities
- --gen-revoke — generate revocation certificate
- --import-revoke — apply a revocation certificate
- --edit-key — edit key metadata
- Store type
- Common flags
- Settings defaults (~/.config/rustpg/rustpg.conf)
- Common workflows
CLI Reference (rpg)
rpg is the command-line binary. It shares the same keyring, config file, and crypto library (rpglib) as the GUI — operations done in one are immediately visible in the other.
Invocation
rpg [FLAGS] [OPTIONS] [FILE]
When called with no arguments and stdin is a terminal, rpg prints help. When stdin is a pipe and no operation is specified, it exits with an error.
Keyring password resolution
Every operation that touches the keyring needs the master password that protects key_material.rpg. The password is resolved in this order:
RPG_KEYRING_PASSWORDenvironment variable — process-list safe, recommended for scripts--keyring-password-file <PATH>— reads the password from a file (trailing newline stripped)- OS keyring (
passwd_keyringentry under servicerustpg) — used whenremember_password = trueinrustpg.conf - Interactive prompt (
rpassword) — terminal prompt, no echo
--keyring-password <PASS> is also accepted but not recommended: the value is visible in ps aux output and recorded in shell history. A stderr warning is printed when it is used.
If no keyring file exists yet (first run), no password is required.
Input and output
All crypto operations accept an optional positional FILE argument and an optional --output FILE flag:
| Input | Output |
|---|---|
FILE argument |
--output FILE |
| stdin (pipe) | stdout |
The two can be mixed freely — e.g. read from stdin, write to a file.
Crypto operations
--symmetric / -c — symmetric encrypt
AES-256-GCM with Argon2id key derivation. Passphrase from --passphrase or prompted interactively.
rpg --symmetric --passphrase "secret" document.txt -o document.txt.rpg
rpg -c --passphrase "secret" -a document.txt # armored output to stdout
--symmetric --stream <FILE> — stream encrypt (LFM)
ChaCha20-Poly1305 + Argon2id, streaming file-to-file. No keyring needed. Output is written to <FILE>.rpgx. No --output flag — the output path is always derived from the input path.
rpg --symmetric --stream video.mp4 --passphrase "secret"
# writes video.mp4.rpgx
--encrypt / -e — asymmetric encrypt
X25519 ECIES + AES-256-GCM. Requires --recipient.
rpg --encrypt --recipient alice document.txt -o document.txt.rpg
rpg -e -r alice -a document.txt # armored to stdout
--encrypt --sign — sign-then-encrypt
Ed25519-signs the plaintext (binary mode) then ECIES-encrypts the signed blob. Requires --recipient for the encryption key; --my-id selects the signing key (defaults to own identity).
rpg --encrypt --sign --recipient alice --my-id bert document.txt -o out.rpg
After decryption the receiver sees Good signature from bert. (or a warning) on stderr if they pass --recipient bert.
--decrypt / -d — decrypt
Auto-detects RPGS (symmetric) or RPGA (asymmetric) from the 4-byte magic. For symmetric, --passphrase or prompt. For asymmetric, --my-id selects the private key (defaults to own identity).
rpg --decrypt --passphrase "secret" document.txt.rpg
rpg -d --my-id bert encrypted.rpg -o plaintext.txt
If the decrypted payload contains an embedded signature, the wrapper is stripped automatically and the signature is reported to stderr.
--decrypt --stream <FILE> — stream decrypt (LFM)
Decrypts an RPGX stream file. Output path is <FILE> with the .rpgx extension stripped (or <FILE>.dec if no .rpgx extension).
rpg --decrypt --stream video.mp4.rpgx --passphrase "secret"
# writes video.mp4
Signing
--sign / -s — binary sign
Produces a single blob: RUSTPGSIG\x02 + 64-byte Ed25519 signature + original data. Output is binary; pipe through --armor for text.
rpg --sign document.txt -o document.txt.sig
rpg -s -a document.txt -o document.txt.asc
--clearsign — clear-sign
Wraps a UTF-8 text file in a human-readable armored block with the signature appended. Input must be valid UTF-8.
rpg --clearsign message.txt -o message.txt.asc
--detach-sign / -b — detached signature
Writes a raw 64-byte Ed25519 signature to a separate file. Share the signature alongside the original unchanged file.
rpg --detach-sign document.txt -o document.txt.sig
--verify — verify
Auto-detects binary, clearsign, or detached format. Use --sigfile for detached signatures. --recipient selects whose key to verify with; defaults to own identity.
rpg --verify --recipient alice signed.txt
rpg --verify --recipient alice --sigfile document.txt.sig document.txt
Prints Good signature. or BAD signature. to stdout.
Format
--armor / -a — ASCII armor
Wraps binary output in OpenPGP-style armor (base64 + CRC24). Can be combined with any crypto or sign operation.
rpg --encrypt -r alice -a document.txt # outputs -----BEGIN RUSTPG ASYMMETRIC MESSAGE-----
--dearmor — strip armor
Converts armored text back to binary. Accepts any -----BEGIN ... ----- header (RUSTPG or PGP).
rpg --dearmor document.txt.asc -o document.txt.rpg
Key management
--gen-key — generate keys
Generates a new X25519 (encryption) and Ed25519 (signing) keypair. Inserts or updates the identity with --my-id in the keyring. Prompts for confirmation if the slug already exists.
rpg --gen-key --my-id bert --name "Bert van der Weerd" --email "bert@example.com"
--list-keys / -k — list all identities
Shows all identities: role, display name, email, fingerprint, revocation status.
rpg --list-keys
pub [contact] Alice Doe <alice@example.com>
AABBCCDD EEFF0011 22334455 ...
sec [self] Bert van der Weerd <bert@example.com>
11223344 AABBCCDD EEFF0011 ...
--list-secret-keys / -K — list own identities
Same as --list-keys but restricted to identities with private keys.
--fingerprint — show fingerprint
Prints the SHA-256 fingerprint of the Ed25519 public key for the selected identity.
rpg --fingerprint --my-id bert
rpg --fingerprint # defaults to own identity
--export — export public identity
Outputs a rustpg-keyring block with public keys only. The role is downgraded to contact — safe to share.
rpg --export --my-id bert -o bert-public.txt
rpg --export --recipient alice -o alice-public.txt
--export-secret-keys — export full identity
Includes private keys. Keep this output confidential.
rpg --export-secret-keys --my-id bert -o bert-full.txt
--import — import identities
Parses a rustpg-keyring file and merges all identities into the keyring. Slug conflicts are refused.
rpg --import alice-public.txt
--gen-revoke — generate revocation certificate
Produces a -----BEGIN RUSTPG REVOCATION----- PEM block — an Ed25519 signature over the literal bytes REVOKE. Stores the cert in the keyring and writes it to the output.
rpg --gen-revoke --my-id bert -o bert-revoke.pem
--import-revoke — apply a revocation certificate
Reads a revocation cert, finds the matching identity by verifying the cert against every Ed25519 key in the keyring, and marks it revoked.
rpg --import-revoke alice-revoke.pem
--edit-key — edit key metadata
Not yet implemented.
Store type
By default rpg uses the RPG keystore at ~/.config/rustpg/key_material.rpg. Two flags select an alternate backend:
--storetype-rpg [PATH]
Use the RPG keystore. If PATH is given, open that file instead of the default. The OS vault is not consulted for alternate paths — supply the password via --keyring-password or the interactive prompt.
rpg --storetype-rpg /mnt/usb/backup.rpg --list-keys
--storetype-gnupg
Use GnuPG's ~/.gnupg as a read-only keystore. gpg must be in PATH. Only --list-keys and --list-secret-keys are supported; all write operations print an error.
rpg --storetype-gnupg --list-keys
rpg --storetype-gnupg --list-secret-keys
See KeyStore Architecture for the full backend design.
Common flags
| Flag | Short | Description |
|---|---|---|
--my-id <SLUG> |
Own identity slug. Default: my_id from rustpg.conf, then first self identity. |
|
--recipient <SLUG> |
-r |
Recipient or signer slug. Default: last_recipient_id from rustpg.conf. |
--keyring-password <PASS> |
Master password for key_material.rpg. Overrides OS vault. |
|
--passphrase <PASS> |
Passphrase for symmetric encrypt/decrypt. | |
--output <FILE> |
-o |
Write output to FILE instead of stdout. |
--sigfile <FILE> |
Detached signature file for --verify. |
|
--cipher-algo <ALGO> |
Cipher for --symmetric. Currently only AES256 is implemented. |
|
--stream <FILE> |
With --symmetric: stream-encrypt FILE to FILE.rpgx. With --decrypt: stream-decrypt FILE.rpgx → FILE. |
|
--armor |
-a |
ASCII-armor output. |
--name <NAME> |
Display name for --gen-key. |
|
--email <EMAIL> |
Email address for --gen-key. |
|
--verbose |
-v |
Verbose output. |
--quiet |
-q |
Suppress informational output. |
--version |
-V |
Print version and exit. |
--storetype-rpg [PATH] |
Use RPG keystore (optional alternate path). | |
--storetype-gnupg |
Use GnuPG keystore (read-only). |
Settings defaults (~/.config/rustpg/rustpg.conf)
rpg reads the shared config file on startup. Two fields affect CLI behaviour:
| Key | Effect |
|---|---|
my_id |
Default value for --my-id when the flag is omitted |
last_recipient_id |
Default value for --recipient when the flag is omitted |
The config file is shared with the GUI — changing my_id in the GUI's Settings panel affects the CLI default and vice versa.
Common workflows
Encrypt a file for Alice and armor it:
rpg --encrypt --recipient alice --armor report.pdf -o report.pdf.asc
Decrypt any rustpg file (auto-detects symmetric/asymmetric):
rpg --decrypt encrypted.rpg -o plaintext.txt
Sign and encrypt in one step:
rpg --encrypt --sign --recipient alice document.txt -o document.rpg
# Alice decrypts and verifies:
rpg --decrypt --recipient bert document.rpg -o document.txt
Clearsign a text announcement:
rpg --clearsign --my-id bert announcement.txt -o announcement.txt.asc
Verify a clearsigned or binary-signed file:
rpg --verify --recipient bert announcement.txt.asc
Export your public key and send it to a contact:
rpg --export --my-id bert -o bert.txt
# Contact imports it:
rpg --import bert.txt
Revoke your key and distribute the certificate:
rpg --gen-revoke --my-id bert -o bert-revoke.pem
# Contacts apply it:
rpg --import-revoke bert-revoke.pem
Pipe from stdin:
echo "hello" | rpg --symmetric --passphrase "pw" --armor
cat encrypted.asc | rpg --dearmor | rpg --decrypt --passphrase "pw"
Stream-encrypt and decrypt a large file (LFM):
rpg --symmetric --stream video.mp4 --passphrase "secret" # → video.mp4.rpgx
rpg --decrypt --stream video.mp4.rpgx --passphrase "secret" # → video.mp4