In this chapter, you'll get pkzipc set up on your Windows, Mac or UNIX/Linux computer. You'll also learn more about the different editions of PKZIP and Smartcrypt CLI, and confirming your purchase through license activation.

Product Features

Beyond the basics, Smartcrypt offers these features:

  • Smartkeys: Smartkeys replace both passphrase- and certificate-based encryption, and makes Smartcrypt unique. A Smartkey is a collection of encryption keys tied to an access control list (ACL). The ACL defines who can decrypt the data contained in an archive. See "Encrypting Files with a Smartkey" in Chapter 4.
  • Email and FTP integration: Options to create and transfer archives by email or FTP directly from the command line. See Chapter 6.
  • PKSFX: The ability to create self-extracting ZIP files for use in either the native command line or graphical Windows environment. See "Working with Self-Extracting (PKSFX) Archives" in Chapter 4.
  • Strong passphrase-based encryption: Strong encryption—the kind of encryption used by banks and the federal government—is much more secure than the weaker, traditional ZIP encryption provided by PKZIP. See "Encrypting Files with a Passphrase" in Chapter 4.
  • Strong encryption using a digital certificate instead of a passphrase: This kind of encryption is both more convenient and more secure than passphrase-based encryption, and it enables you to encrypt files just for the people you want to see them. See "Encrypting Files with a Recipient List" in Chapter 4.
  • Strong file name encryption: With this feature, you can encrypt even the names of files in an archive so that only the intended recipients of the archive can read them. See "Encrypting File Names" in Chapter 4.
  • Digital signatures: When you attach a digital signature, recipients of your files can be sure that the files are unchanged and really come from you. See "Attaching Digital Signatures" in Chapter 4.
  • Directory Integration:. This module enables Smartcrypt to access digital certificates stored on directory servers anywhere in the enterprise. Being able to access certificates on directory servers makes it much more convenient to do strong certificate-based encryption, as you can encrypt for a set of recipients without needing to have the certificate for each recipient on your own machine. See "Accessing Recipients in an LDAP Directory" in Chapter 4.
  • Contingency keys are digital certificate-based keys that an administrator can have automatically included in the recipient list whenever Smartcrypt does strong encryption. See "Contingency Keys" in Chapter 4 for more information.
  • JSON Output: JSON output is supported for a number of different commands. To get the JSON output for a command, add ‘ -json’ at the end of the standard command. Following are the supported commands:
    • -view
    • -listcert
    • -listsm
    • -smartkeyc
    • -smartkeym
  • Ability to generate OpenPGP keys
  • Convert X.509 certificates to OpenPGP keys
  • Convert OpenPGP keys to X.509 certificates
  • Signing OpenPGP keys

If you are transitioning from the McAfee eBusiness Server (EBS), you can use Smartcrypt in OpenPGP Mode to run many of your existing EBS scripts with minimal editing. The commands include decrypt, encrypt, and sign. These commands and options are described in Appendix F McAfee eBusiness Server Command Options.

Learning More and Getting Help

This manual is not the only way to learn about Smartcrypt. You can find additional information inside the program itself, and on the World Wide Web.

Using Help

Smartcrypt provides a help system for the Smartcrypt commands and options. The help system describes syntax and shows sample command lines.
Access the help system directly from the command line:

  • At the command prompt, type the following and press ENTER:

pkzipc -help
A screen with Smartcrypt version and usage information appears. You can get help for any Smartcrypt command or option from here.

  • To bypass the command/option menu and go directly to a help file for a particular command or option, type the help command followed by an equal sign (=) and the command or option for which you want information.

For example, to access online help for the add command, type the following at the command prompt and press ENTER:
pkzipc -help=add
The help information for the add command appears.

Getting Version Information

To list the version of Smartcrypt that you are using, use the version command:
pkzipc -version
This command line outputs two lines like the following after the usual header information:

Program File Version (pkzipc): 15.10.1245
Product Version: 15.10.0017

The first line lists major, minor, and step version numbers of the program:

Program File Version (pkzipc): <major>.<minor>.<step>

The second line lists the major and minor version numbers and the build number of the product.

Product Version: <major>.<minor>.<build> 

Major and minor version numbers of the program are always the same as those for the product.
In addition to producing this display output, the version command returns a version number as a value to the shell. The version number returns as a positive integer value less than 256. This value is only returned to the shell and is not displayed in normal output. It can be used to verify Smartcrypt version numbers in a .BAT file or shell script.
Sub-options of the version command (described in the following table) determine which version number is returned. The major version number is returned by default.


PKZIP Returns

For example


The major release number. For example, if the version number is 12.10.1054, the value returned is 12. This is the default return.

pkzipc -version
pkzipc -version=major


The minor number of the release. For example, if the version number is 12.10.1054, the value returned is 10.

pkzipc -version=minor


The step or patch value (minus 1000 if ≥ 1000). For example, if the program version is 12.10.1054, the value returned is 54.

pkzipc -version=step


The build number of the product. For example, if the product version is 12.10.0003, the value returned is 3.

pkzipc -version=product

Technical Support

For support, visit our Web site at:

Working With Your License

Entering License Keys

Each Smartcrypt CLI user must enter the license key to activate the product after you complete the installation.
If you're running Smartcrypt CLI in an enterprise environment, you must activate and configure the PEM Agent instead of entering the license key. See the next section.
To enter a (single) license key after installing Smartcrypt, use the enterlicensekey command:

At the command prompt, type the following and press ENTER:

pkzipc -enterlicensekey

Smartcrypt prompts you for a product license key. Enter a product license key and press ENTER.

On UNIX, running the enterlicensekey command creates license files in the $HOME/.PKWARE directory.

Configuring the PEM Agent

To take advantage of Smartkey-based encryption, you must connect your device with the Smartcrypt server. The server manages your sensitive data.
Note: To use Smartkeys and other Smartcrypt features, you must have a Smartcrypt account. See "Configuring the Agent in Windows" for more information.

Configuring the Agent in UNIX

Follow these steps to configure the PEM Agent:
NOTE: The examples below describe the default location of PEM Agent in Linux and AIX, /usr/pkware/. If you're running Solaris or HP-UX, replace the reference with /opt/pkware.

  1. Confirm that PEM Agent is not already running. Kill any instance of PEM Agent running under your user account. The file ~/.PKWARE/ contains its process ID.
  2. Run this command to configure the agent:

/usr/pkware/pkzip/bin/pkagent --config --email <email> --master <pw>

  • Where <email> represents your email address, and <pw> is your Smartcrypt account password.
  • If you are in an enterprise environment with PEM Administrator active, use this command instead:

/usr/pkware/pkzip/bin/pkagent --config --email <email> --iwa <pw>

  • In some cases, your enterprise Smartcrypt Administrator may allow for an "unmanaged" account. In that case, use this command to configure the agent:

/usr/pkware/pkzip/bin/pkagent --config --email <email> --master <pw>

CAUTION: Be aware that your account password will be visible in your shell's command history. Consider measures (such as running the configuration command in an alternate shell) to protect your account.

Configuring the Agent in Windows

If you are already logged in to your company's network through Windows Active Directory, your Smartcrypt client will automatically connect to the server.

  1. Click the Smartcrypt status icon (in the Windows system tray).
  2. Choose My Account from the menu.

You should see your name and Active Directory email listed. The Identity Provider will be Active Directory Integrated.

Connecting to Smartcrypt Outside the Network

If you are not logging into your computer with your company's network credentials, when you open Smartcrypt the first time, you'll be asked to log in. Enter your email address (such as and a password.
To confirm your account connection, click the Smartcrypt icon and select My Account.

Getting License Information

To display the Smartcrypt license information on your screen, do the following:

  • At the command prompt, type the following and press ENTER:

pkzipc -license

Notes for UNIX Users

Using Wildcards with Smartcrypt on UNIX

If your UNIX shell is set up to automatically expand wildcards, you should put file specifications that use wildcards—for example, .htm— in quotation marks—like this: ".htm"—on the command line to prevent the shell from expanding them.
Allowing the shell to expand wildcard file specifications into an explicit list of files can cause the Smartcrypt recurse and directories options not to work properly. Placing a wildcard pattern in quotes instructs the shell to pass the pattern as an argument to Smartcrypt, which then expands it.
Smartcrypt can interpret and expand the following wildcard patterns:






*.txt, *f.txt


h*, file.f*




., ab

Running the Program as Root

Setting the set-uid bit on the pkzipc binary causes Smartcrypt to run as root. It also causes Smartcrypt to run any program that it may launch—such as the ftp client (ftp option) or a virus scanner (avscan option)—as root.
Use considerable caution in setting the set-uid bit to run Smartcrypt as root. It is very easy for a program running as root to overwrite system files, and setting the set uid bit on any program raises security concerns. Configure Smartcrypt to run this way only in keeping with organizational security policies and on the instructions of a system administrator.

Notes for Windows users

Setting Smartcrypt in the Windows Path

The installation puts Smartcrypt on your system's search path so that you can access the program from any directory without specifying a path. However, if for any reason you need to specify the path yourself, you can.
The search path in Windows is normally specified in the system's Environment Variables. To add the Smartcrypt installation directory to your search path, follow the steps below (These steps are for Windows 7; some items may have different labels depending on your version of Windows).

  1. Close any open Command Prompt windows.
  2. Select Settings | Control Panel | System from the Start Menu.
  3. In the Control Panel, double click the System icon (or
  4. Click Advanced System Settings. The System Properties dialog appears.
  5. Click the Advanced tab (if necessary) and then click Environment Variables.
  6. Select the Path variable in the System (Environment) Variables or User (Environment) Variables boxes. These variables are sorted alphabetically. Click Edit.

If you are unable to locate the Path variable, click New and enter path in the Variable line:

In the Value box, enter (in quotes) the path to the folder where Smartcrypt is installed:

"c:\program files\PKWARE\SCCLI"
If necessary to separate the path from another path designation, precede your path with a semicolon.

Click OK twice.

You may now access Smartcrypt from any directory without specifying a path. This change will take effect the next time you open a Command Prompt window to run Smartcrypt.
If necessary, consult your systems administrator for further information on setting the path environment variable.