How is the PGP key generated and set up?

We recommended to use the GnuPG tool to generate a key (

Make sure all the following commands are executed as the user that will be running the command line client, or any of the SRS::Client modules.

To generate a key, type:

gpg --gen-key

Follow the instructions the the gpg application gives you:

  • Choose a 'RSA and RSA' type key
  • with keysize '4096', 
  • and '0' expiry (unless you have reason to choose non-default settings). 

You can create a passphrase if you prefer one. If the key is generated with a passphrase the passphrase needs to be provided as environment variable (see below for more details)

Once the key is generated, you can export it by typing:

gpg --export --armour <username>

Username is either the 'Real Name', 'Email Address' or both, that you entered for the key (type: 'gpg --list-keys' to view usernames for your keys). This is also the name you need to pass to the command line client, or the SRS::Client modules. (However, the most recently added secret key is your default secret key, and will be used if you don't specify a username).

The export command will print the armoured key to STOUT. If it's more convenient, you can redirect this to a file:

gpg --export --armour <username> > pub.key

If you are using the RIK command line clients (SendXML or SRSClient) or you want to verify the signatures sent with responses by the registry, then you must import the registy's public key to your keyring. To do this, type:

gpg --import reg.key

The registry's public key is included in a file (reg.key) in the top level directory of the Technical RIK.

You will have to specify the path to the key file if you're executing 'gpg' in a directory other than the one containing the key file.

Please note that the minimum PGP Key size we allow is 1024 bits and NZRS recommend that a key of at least 2048 bits is used.

If you have more than one key in your GPG keyring it may be necesary to specify which GPG identity should be used. Depending on how you are using the RIK there are a number of different ways this can be done:

  • For the sendXML program you can specify using the GNUPGID environment variable 
  • For the SRSClient program you can specify a '-u' parameter 
  • For the webserver you can specify an 'Id' value within the 'Crypto' block. 

In all cases you should specify the real-name of the GPG id, not the fingerprint

If you use a key with a passphrase:

The passphrase needs to be specified in an environment variable SRS_RIK_PASSPHRASE. Or a environment variable SRS_RIK_PASSPHRASE_FILE points to a file containing the passphrase.