symbol Asset 1


01 Jun 2021


RNP - OpenPGP-compatible signatures and encryption.


rnp [--homedir dir] [OPTIONS] COMMAND [INPUT_FILE, …​] …​


The rnp command-line utility is part of the RNP suite and provides OpenPGP signing and encryption functionality compliant with IETF RFC 4880.

rnp does not allow manipulation of keys or keyrings — please use rnpkeys(1) for that purpose.


By default, rnp will apply a COMMAND, additionally configured with OPTIONS, to all INPUT_FILE(s) or stdin if no INPUT_FILE is given.

Depending on the input, output may be written:

  • to the specified file with a removed or added file extension (.pgp, .asc, .sig); or

  • to stdout.

Without the --armor option, output will be in binary.

If COMMAND requires public or private keys, rnp will look for the keyrings in ~/.rnp. The options --homedir and --keyfile override this (see below).

If COMMAND needs a password, rnp will ask for it via stdin or tty, unless the --password or --pass-fd option was specified.



-h, --help

Displays a short help message. No options are expected.

-V, --version

Displays version information. No options are expected.


-e, --encrypt

Encrypt data with public key(s), and optionally sign, if the --sign command is added.

You would likely want to specify one or more --recipient(s) or pick a --cipher (instead of the default).

Additional options:


Specify one or more recipients.


Select a specific cipher.

-z, --zip, --bzip

Select a compression algorithm.


Output ASCII data instead of binary via the --armor option. If the input file is file.ext, and --output is not specified, then the data will be written (depending on --armor option) to file.ext.pgp or file.ext.asc.


If the destination file already exists, and the --overwrite option is not given, the caller will be asked for the permission to overwrite or to provide a new file name. Please see the OPTIONS section for more information.

-c, --symmetric

Encrypt data with password(s).

Can be combined with the commands --encrypt and --sign.

Options that apply to the --encrypt command also apply here.

Additional options:


Encryption to multiple passwords is possible with --passwords option. Each password would be asked via stdin/tty unless --password or --pass-fd is specified.

-s, --sign

Digitally sign data, using one or more secret keys you own.

Public-key or password-based encryption may be added via the --encrypt and --symmetric commands.

Additional options:

-u, --userid

By default, the first secret key you own will be selected for signing. Apply this option to select a different key or to use multiple keys.


By default, the signature is stored together with signed data. This option detaches the data signature to a separate file (file.ext.sig).


You may want to use --hash option to override default hash algorithm settings. As with encryption, output may be converted to ascii via the --armor option.

Compression options also apply here. Since the secret key is usually stored encrypted, you will be asked for the password to decrypt it via stdin/tty unless --password or --pass-fd is specified.


Digitally sign text data, producing human-readable output with the signature attached.

In this mode, data cannot be additionally encrypted or compressed.

Other signing options, --hash, -u, --password, can still be used here.


-d, --decrypt

Decrypt and verify data from the INPUT_FILE or stdin.

If the data is signed, signature verification information will be printed to stdout/tty.

Additional options:


Output, if not overridden with this option, will be written to the file with stripped .pgp extension or stdout. If INPUT_FILE does not end with the .pgp extension, then output file name will be asked via stdin/tty.

--password, --pass-fd

Depending on encryption options, you may be asked for the password of one of your secret keys, or for the encryption password. These options override that behavior such that you can input the password through automated means.

-v, --verify

Verify signature(s) without writing embedded data out, if any.

To verify the detached signature of a file file.ext, the detached signature file in the file name pattern of file.ext.sig or file.ext.asc must exist.

If data is encrypted, you may be asked for password as in the --decrypt command.



Show detailed information about the OpenPGP data in INPUT_FILE or stdin. Useful for curiosity, troubleshooting or debugging.

Additional options can be used:


output JSON data instead of human-readable information


print out key fingerprints and grips


print out all MPI values


print raw, hex-encoded packets too


Convert binary data to the ASCII-armored as per OpenPGP standard. This includes the -----BEGIN PGP MESSAGE----- header and footer, and Base64-encoded data.

Output for file.ext will be written to file.ext.asc (if it does not exist) or to stdout.

The following OpenPGP headers may be specified:









Additional options:


Forcefully overwrite existing destination file if it exists.


Specify destination file path.


Attempts to convert data from an armored format to the binary format.

The file.ext.asc output file would be written to file.ext. If the destination file already exists, it will prompt the user for a new filename.

Additional options:


Forcefully overwrite existing destination file if it exists.


Specify destination file path.


--home, --homedir DIR

Change homedir (where RNP looks for keyrings) to the specified value.

The default homedir is ~/.rnp .

-f, --keyfile PATH

Instead of loading keyrings, use key(s) from the file specified.

-u, --userid KEY

Specify one or more signing keys, searching for it via the given value KEY. See rnpkeys(1) on how to find valid values.

-r, --recipient KEY

Add the message recipient, i.e. the public key to which message will be encrypted to. See rnpkeys(1) on how to find valid values.

--armor, --ascii

Apply ASCII armoring to the output, so that the resulting output can be transferred as plain text.

See IETF RFC 4880 for more details.

--detach, --detached

Create a detached signature.

--output PATH

Write data processing related output to the file specified.

If not specified, the output filename will be guessed from the input filename/extension or the command will prompt the user via stdin/tty.


Overwrite already existing files without prompt.


Set hash algorithm which to be used for signing and derivation of the encryption key from a password.

The default value is SHA256.

--cipher ALGORITHM

Set the symmetric algorithm used during encryption.

The default value is AES256.

--aead [EAX, OCB]

Enable AEAD encryption and select algorithm to be used.

--aead-chunk-bits BITS

Change AEAD chunk size. This is used for testing or debugging.

--zip, --zlib, --bzip2

Select corresponding algorithm to compress data with. Please refer to IETF RFC 4880 for details.

-z 0..9

Set compression level for the compression algorithms.

9 is the highest compression level, where 0 disables compression.

The default value is 6.

--pass-fd FD

Specify a file descriptor to read passwords from instead of from stdin/tty.

Useful for automated or non-interactive sessions.

--password PASSWORD

Use the specified password when it is needed.

Not recommended for production use due to potential security issues. Use --pass-fd for batch operations instead.
--passwords COUNT

Set the number of passwords for --symmetric encryption.

While not commonly used, you may encrypt a message to any reasonable number of passwords.

--creation TIME

Override signature creation time.

By default, creation time is set to current local computer time.

A specific time could be specified in the ISO 8601-1:2019 date format (yyyy-mm-dd), or in the UNIX timestamp format.

--expiration TIME

Set signature expiration time, counting from the creation time.

By default, signatures do not expire.

A specific expiration time can be specified as: * expiration date in the ISO 8601:2019 date format (yyyy-mm-dd); or * hours/days/months/years since creation time with the syntax of 20h/30d/1m/1y; * number of seconds.

--keystore-format GPG|KBX|G10|G21

Set keystore format.

RNP automatically detects the keystore format.

This option allows the auto-detection behavior to be overridden.


Enable debug output for the source file specified. For development use only.







The following examples demonstrate method of usage of the rnp command.


rnp --homedir .rnp --encrypt -r 0x6E69636B6F6C6179 --output document.txt.encrypted document.txt

Load keyrings from the .rnp folder, encrypt the document.txt file using the key with keyid 0x6E69636B6F6C6179.


rnp --keyfile john-sec.asc -s --detach --hash SHA512 document.txt

Generate a detached signature over the file document.txt, using the secret key stored in the file. Additionally override the hash algorithm to SHA512.


rnp --keyfile john-pub.asc --verify document.txt.sig

Verify detached signature, using the key stored in the john-pub.asc file. The signed data is assumed to be available from the file document.txt.


rnp -e -c -s --passwords 3 -r 0x526F6E616C642054 -r "" -u 0x44616E69656C2057 document.txt

Encrypt document.txt with 2 keys (specified via keyid 0x526F6E616C642054 and userid, and 3 passwords, so any of these may be used to decrypt the resulting file.

Additionally, the message will be signed with key 0x44616E69656C2057.


Please report issues via the RNP public issue tracker at:

Security reports or security-sensitive feedback should be reported according to the instructions at:


RNP is an open source project led by Ribose and has received contributions from numerous individuals and organizations.



Copyright (C) 2017-2021 Ribose. The RNP software suite is freely licensed: please refer to the LICENSE file for details.


rnpkeys(1), librnp(3)