HOW TO: Split PGP Keys in Symantec Encryption Desktop 10.X for Windows
search cancel

HOW TO: Split PGP Keys in Symantec Encryption Desktop 10.X for Windows


Article ID: 180242


Updated On:


Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK


 PGP Desktop (Symantec Encryption Desktop) has the ability to generate PGP keys for various purposes.  Some keys, such as Additional Decryption Keys, are highly sensitive and there is a need to ensure that not only one individual can use the key to decrypt content.  Splitting keys is the main idea behind this, so that in order to use the PGP Key Pair, more than one individual must be present to join the key for decryption.

This article will review how this is done. 


Any private key can be split into shares among multiple shareholders using a cryptographic process known as Blakely-Shamir key splitting. As mentioned, this technique is recommended for extremely high security keys.

When you split a key, the shares are saved as files either encrypted to the public key of a shareholder or encrypted conventionally if the shareholder has no public key. After the key has been split, any attempts to sign or decrypt with it will automatically attempt to rejoin the key.

To Split a PGP Key:

  1. Open PGP Desktop, click the PGP Keys Control box, and then click All Keys or My Private Keys in the Control box. The private keys on your keyring appear.
  2. Click on the keypair you want to split. The selected keypair highlights. In this example, the following key is being used:

  3. Select Keys > Share Key > Make Shared. The Shared PGP Key dialog box appears:  

  4. Add shareholders for the split key by dragging and dropping their keys in the Shareholder list.  In this list, we will add multiple users:

    User1, User2, User3, and User4

    So we will click the "Add" button where we can add User1 as one of the shared users:

    Once you click Add, type the name and then you will be prompted for a passphrase.  Only User1 knows the passphrase at this step:

    User1 will click OK and will now be one of the shared users:

    Click Add for three more users to the list:

  5. When all of the shareholders are listed, you can specify the number of key shares that are necessary to decrypt or sign with this key.
    In this example, we'll eave this as 2 users, meaning two of the above 4 users must be present to rejoin the key and use for decryption.

    Note: By default, each shareholder is responsible for one share. To increase the number of shares a shareholder controls, click the name in the shareholders list and then use the arrows to adjust the number of shares.

  6. Click Split Key. You are prompted to select a directory in which to store the shares.

  7. Select a location to store the key shares, then click OK. The Passphrase screen appears:

  8. Enter the passphrase for the key you want to split, then click OK. A confirmation dialog box is displayed:

    Click Yes to split the key. The key is split and the shares are saved in the location you specified. Each key share is saved with the shareholders name as the file name and an SHF extension:


  9. Distribute the key shares to the owners, then securely remove the local copies. Once a key is split among multiple shareholders, attempting to sign or decrypt with it will cause SED Desktop to automatically attempt to rejoin the key.

    Now if you open PGP Desktop to review the key, the icon will have a special overlay icon indicating the key is now split:
  10. It is possible to encrypt to split keys, but in order to decrypt, you must join the key:

  11. Now when you try to decrypt the file encrypted to these split keys, as long as you have the Split key in your keyring, you'll receive the pop-up listed here:

    If you have only the public portion of the K

     Also, if you try to join the key, you will see the option is grayed out:

    Important Note: Make sure you export the keypair of the HighSecurityKey and also back that up, otherwise, the key will not be able to be used!

    To export the keypair, right-click the key, and select "Include Private Key(s)":

    Also save this file somewhere safe!

    Now if you need to rejoin the key, you can do so with the following article:

    180243 - HOW TO: Rejoin Keys in PGP Desktop 10 for Windows