This article details the process to split PGP keys in PGP Desktop 9.x.
Any private key can be split into shares among multiple shareholders using a cryptographic process known as Blakely-Shamir key splitting. This technique is recommended for extremely high security keys.
When you split a key, the shares are saved as files either encrypted to the public key of a shareholder or encrypted conventionally if the shareholder has no public key. After the key has been split, any attempts to sign or decrypt with it will automatically attempt to rejoin the key.
Splitting key shares is effective when using Additional Decryption Keys(ADK).
An additional decryption key (ADK) is a key generally used by security officers of an organization to decrypt messages that have been sent to or from employees within the organization. Messages encrypted by a key with an ADK are encrypted to the public key of the recipient and to the ADK, which means the holder of the ADK can also decrypt the message.
ADKs are rarely used or needed outside of a PGP Universal-managed environment. Although your PGP administrator should not ordinarily need to use the additional decryption keys, there may be circumstances when it is necessary to recover someones email. For example, if someone is injured and out of work for some time, or if email records are subpoenaed by a law enforcement agency and the corporation must decrypt mail as evidence for a court case.
To Split a PGP Key:
- Open PGP Desktop, click the PGP Keys Control box, and then click My Private Keys in the Control box. The private keys on your keyring appear.
- Click on the keypair you want to split. The selected keypair highlights.
- Select Keys > Share Key > Make Shared. The Shared PGP Key dialog box appears.
- Add shareholders for the split key by dragging and dropping their keys in the Shareholder list.
To add a shareholder that does not have a public key, click Add, type the persons name, then allow the person to type in their passphrase. (The shareholder needs to be physically present in order to type their own passphrase.)
- When all of the shareholders are listed, you can specify the number of key shares that are necessary to decrypt or sign with this key.
|Note: By default, each shareholder is responsible for one share. To increase the number of shares a shareholder controls, click the name in the shareholders list and then use the arrows to adjust the number of shares.
- Click Split Key. You are prompted to select a directory in which to store the shares.
- Select a location to store the key shares, then click OK. The Passphrase screen appears.
- Enter the passphrase for the key you want to split, then click OK. A confirmation dialog box is displayed.
Click Yes to split the key. The key is split and the shares are saved in the location you specified. Each key share is saved with the shareholders name as the file name and an SHF extension.
- Distribute the key shares to the owners, then delete the local copies. Once a key is split among multiple shareholders, attempting to sign or decrypt with it will cause PGP Desktop to automatically attempt to rejoin the key.
|Warning: After splitting the key pair, you must export the ADK keypair (Private and Public keys) to be able to rejoin a split key. For an article on exporting keys, click here