Usage in Docker

Running in Docker

You can use OpenPGP CA in container systems (such as Docker or podman). The project repository contains a build file at /Dockerfile.

With docker you can build the image by running:

$ docker build --tag oca ./

This command builds the image and tags it as oca. Once built, you can run the image as:

$ docker run --rm oca

You should see the help output.

(We’re using oca like a command line tool here. We don’t want to start it as a long-running container. Therefore, we use the --rm parameter, which tells docker to “automatically remove the container when it exits”.)

Running any oca command is easy, just add the command and any parameters at the end of the docker call, like so:

$ docker run --rm oca ca init --domain softkey

However, when we’re running OpenPGP CA in a container, the database does not normally persist between runs.

Inside the container, the database is kept in /var/run/openpgp-ca/ by default. To operate a persistent OpenPGP CA instance in docker, you can create and use a volume:

$ docker volume create oca_test
$ docker run --rm -v oca_test:/var/run/openpgp-ca/ oca ca init --domain softkey

The CA database is stored on that volume, which can be reused with a series of ephemeral containers.

Let’s delete this test volume again:

$ docker volume rm oca_test

An example centralized workflow that creates a CA and a user then looks like:

$ docker volume create oca_test
$ docker run --rm -v oca_test:/var/run/openpgp-ca/ oca ca init --domain softkey
$ docker run --rm -v oca_test:/var/run/openpgp-ca/ oca user add --email --email --name Alicia
$ docker run --rm -v oca_test:/var/run/openpgp-ca/ oca user add --email
$ docker run --rm -v oca_test:/var/run/openpgp-ca/ oca user list

For regular use you probably want to employ more automated tools like docker-compose.

Container Registry

You can find pre-built container images on gitlab.

The “latest” tag can be used from

Example usage

First, let’s create a volume to store the OpenPGP CA database (which contains all the state of this OpenPGP CA instance)

$ docker volume create example_ca

Then we can run a temporary container that uses this volume and the latest OpenPGP CA build from our GitLab CI (of course you can always build your own image, if you prefer):

$ docker run --rm -v example_ca:/var/run/openpgp-ca/ \

To initialize an OpenPGP CA instance for the domain, we run

$ docker run --rm -v example_ca:/var/run/openpgp-ca/ \ \
   ca init --domain softkey

We create a new user:

$ docker run --rm -v example_ca:/var/run/openpgp-ca/ \ \
   user add --email --name "Alice Adams"

… and then inspect the user database:

$ docker run --rm -v example_ca:/var/run/openpgp-ca/ \ \
   user list

OpenPGP certificate 4D3B3C810C5A1383967C48E74825DDCB02A64CCB
 User 'Alice Adams'
 Identities certified by this CA:
 - 'Alice Adams <>'
 Has trust-signed this CA
 No expiration is set
 1 revocations available