• NAME
• SYNOPSIS
• DESCRIPTION
• OPTIONS
• create
• addkey
• promote, demote, and revoke
• pubkey
• SUPPORT KEYSTORE TYPE
• SEE ALSO
• AUTHOR
• LICENSE

NAME

keyczar - Command line tool for generating Keyczar key files.

SYNOPSIS

  $ keyczar create --location=/path/to/your/crypt-keyset --purpose=crypt
  $ keyczar addkey --location=/path/to/your/crypt-keyset

  $ keyczar create --location=/path/to/your/sign-keyset --purpose=sign
  $ keyczar addkey --location=/path/to/your/sign-keyset
  $ keyczar addkey --location=/path/to/your/sign-keyset --status=primary

  $ keyczar pubkey --location=/path/to/your/asymmetric-keyset --destination=/path/to/public-keyset

  $ keyczar usekey --location=/path/to/your/keyset

DESCRIPTION

All Keyczar keys are generated with the keyczar command line tool. The following commands are supported:

* create

create a new key store.

* addkey

add new key to existing store.

* promote

promote status of a key version in existing store.

* demote

demote status of a key version in existing store.

* revoke

revoke key version in existing store.

* pubkey

export a public key set from existing private key store. * usekey

encrypt or sing by primary key.

OPTIONS

create

keyczar must first create a new keyset using the create command. A newly created keyset will initially contain just a metadata file. create commmand requires --location and --purpose command-line flags that specify the location of the key set and its purpose. Valid purpose are currently crypt and sign. The create command may also take an optional --name flag to give a newly created keyset a name.

Some example create commands:

* Create a symmetric signing (HMAC) keyset:

keyczar create --location=/path/to/keyset --purpose=sign

* Create a symmetric signing (HMAC-SHA256) keyset:

keyczar create --location=/path/to/keyset --purpose=sign --type=HMAC_SHA256

* Create a symmetric crypting (AES) keyset named ``Test'':

keyczar create --location=/path/to/keyset --purpose=crypt --name=Test

* Create a asymmetric crypting (RSA) keyset:

keyczar create --location=/path/to/keyset --purpose=crypt --asymmetric

* Create a asymmetric signing (DSA) keyset:

keyczar create --location=/path/to/keyset --purpose=sign --asymmetric

* Create a asymmetric signing (RSA) keyset:

keyczar create --location=/path/to/keyset --purpose=sign --asymmetric=rsa

addkey

All Keyczar keys are created using the addkey command. This command requires a keyset --location flag and may optionally have --status, --crypter, and --size flags. --status values they are primary, active, and inactive. The default status is active. User-specified key sizes are supported, although it is recommended that only default or larger key sizes are used. The addkey command will create a new file in the keyset directory with an integer version number that is one greater than the currently largest version. For example, if the current keyset contains the key file 1, a new key version will be created in the file 2. Some example addkey commands:

* Create a new primary key:

keyczar addkey --locaiton=/path/to/keyset --status=primary

* Create a new active key:

keyczar addkey --location=/path/to/keyset

promote, demote, and revoke

The promote, demote, and revoke commands are used to change key status values. Each of these commands require a --location and --version flag. Promoting an active key will raise its status to primary, and promoting an inactive status will make it primary. There can only be a single primary key in given key set. Similarly, demote will lower a primary key to active, and an active key to inactive. The revoke command will only work for inactive status values. The revoke command will permenantly delete key material, so should be used with caution. Some example promote, demote, and revoke commands. Suppose that key version 1 initially has an active status:

* Promote active version 1 to primary:

keyczar promote --location=/path/to/keyset --version=1

* Demote primary version 1 back to active:

keyczar demote --location=/path/to/keyset --version=1

* Demote active version 1 to inactive:

keyczar demote --location=/path/to/keyset --version=1

* Revoke the inactive version 1:

keyczar revoke --location=/path/to/keyset --version=1

pubkey

Create and exports public key files to given --destination based on private key set at given --location. Some example addkey commands:

* Export public keyset from existing asymmetric key store:

keyczar pubkey --location=/path/to/keyset --destination=/path/to/public-keyset

SUPPORT KEYSTORE TYPE

The keyczar command can operate the file based keysets.

SEE ALSO

the Crypt::Keyczar manpage, the Crypt::Keyczar::Crypter manpage, the Crypt::Keyczar::Signer manpage, the Crypt::Keyczar::FileReader manpage, http://www.keyczar.org/

AUTHOR

Hiroyuki OYAMA <oyama@mixi.co.jp>

LICENSE

Licensed under the Apache License, Version 2.0 (the ``License''); you may not use this file except in compliance with the License. You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an ``AS IS'' BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.