Managing PGP Keys with PGP Desktop (Symantec Encryption Desktop)
Article ID: 232034
Updated On:
Products
Issue/Introduction
This article will go over the basics of PGP keys and how to create some keyrings as well as keypairs and how to change the passphrase of this key.
Resolution
Table of Contents
PGP encryption (Symantec Encryption Desktop) is based on public-key cryptography. In order to use PGP you must create a PGP keypair, which consists of a public key and a private key.
Your public key should be given to anyone who wishes to send you encrypted data.
Your private key, however, should never be given to others, and its passphrase should be kept totally secret.
When someone wishes to send you encrypted data they use your public key to encrypt the data, which changes the data into encrypted content so only the intended recipients can decrypt.
Once the data is encrypted with your public key, it may only be decrypted by your private key, for which only you know the passphrase. Thus when you want to send someone encrypted data, you use their public key to encrypt the data, which may then only be decrypted by their private key.
When data is encrypted with a public key, it is common to say that the data was encrypted 'to' the public key.
TIP: For more information about public-key cryptography, refer to a great historical PGP document 'Intro to Crypto' document provided at the bottom of this article as an attachment. The article is old, and is considered rich PGP history, but is still current in concepts and is great for anyone who would like to learn more about Cryptography!
Caution: If you lose your private key or forget its passphrase, you will be unable to decrypt any data which was encrypted to the public portion of your keypair. Therefore it is very important to remember your passphrase and have a backup copy of your keypair.
Key Reconstruction is an option that could potentially help you recover from this situation. For more information about this, see the following articles:
180130 - HOW TO: Reconstruct Your Private Key for Windows
153258 - Key Reconstruction - PGP Desktop
Section 1 of 5: Create a PGP Keypair
Open the PGP keys window (click the gray padlock in your system tray, PGPtray icon, then click PGP keys).
To begin creating a new keypair, click the File menu, then click New PGP Key.
When the PGP Key Generation Welcome Screen appears, click Next. If you are an experienced user and wish to specify the type, size, or expiration date of your keypair, click the "Advanced..." button.
Enter your name and Email address, then click Next. (You can leave email address off if this does not apply to the key).
Enter and confirm a passphrase for your private key, then click Next.
TIP: PGP is only as strong as your passphrase so choose a strong passphrase!
Your passphrase is case-sensitive. If your passphrase is not 8 characters or longer, you may either click Next on the following screen, or click back to lengthen your passphrase.
After your PGP keypair has been generated, click Next.
To complete the keypair generation, click Finish. You will now see your new keypair in your PGP keys window, expanded to show your email address and digital signature.
You do not need to submit your PGP key on the Keyserver repository, this is completely option as a standalone client.
For more information, please take a look at this KB: 178742
Section 2 of 5: Import a PGP key
Sometimes it's necessary to import existing keys into your keyring. Most typically they will be public keys. When you import the public key, you will need to validate that it is a proper key.
Always be sure the key you are importing is a legitimate key as you will be encrypting sensitive data to it. It's a good idea to call the owner of the key on the phone and ask them to read you the key id.
This provides non-repudiation and will allow you to easily put your seal of approval on that key.
If it is a private key, know where it came from. Look at the Key ID, the Creation Date, and other attributes of the key to help you determine if this key is one that you can use.
Private keys are used to "Sign" files and digital content. Similar to signing a document, you are putting your reputation on the line when you use the keypair. First make sure it is valid.
To import PGP key:
Step 1: Open the PGP keys window (click the gray padlock in your system tray, your PGPtray icon, then click PG Pkeys).
Step 2: To import a key (or keypair), click the Keys menu, then click Import (Or simply double-click on the key).
Step 3: If you clicked Open via the PGP Desktop application, then browse to the key you wish to import, then click Open.
Step 4: When the Select Keys window appears, make sure the key you wish to import is highlighted, then click the Import button.
If you are importing your own public/private keypair, click OK on the PGP information box.
Step 5: Right click on the newly-imported keypair, then click Properties.
Step 6: Click the Implicit Trust checkbox, then click Close.
Step 7: Change your keyring, or create a new one
Step 8: Click the PGPtray icon (gray or gold padlock), then click Options. Click the Files tab.
To change your current keyrings to a different set of keyrings, type the location of (or browse to) the desired public and private keyring files, then click OK.
To create brand new, and empty, keyring files, simply enter (or browse to) the desired location, then type a name for your new public and private keyring files.
When you click OK, you will be told that the files you specified will be created. Click 'No' twice if you want new and empty keyrings. Click Yes twice if you want to copy your existing keyrings to the new location.
Section 3 of 5: Changing the passphrase of an existing key
1. To change the passphrase of your PGP key, and you already know the passphrase, open Symantec Encryption Desktop (PGP Desktop) and click on PGP Keys:
2. You will see a list of all your keys. Look for the key in question that you would like to change the passphrase for. Double-click on that key to open the key properties:
Notice the "Change Passphrase" option above. Click this and you will be prompted to enter the current passphrase:
Once the proper passphrase is entered, now enter a new passphrase and confirm:
Once the new passphrase is entered, click Finish. No confirmation will be seen, but the new passphrase should now take effect.
Go through the same steps above to confirm.
Section 4 of 5: Creating New Keyrings inside of PGP Desktop
PGP Desktop has its own default keyring that will be used out of the box, but you can also have additional keyrings if you would like to have a unique set of keys.
As an example, if you open of the PGP Desktop client, you'll see the "All Keys" listed:
This is the default keyring. Right-click All Keys, and select "Properties" and you will see the location of the two keyring files:
As you can see, there is the "Public" keyring "pubring.pkr", which will have only public keys.
You will also see the "Private" or "Secret" keyring, "secring.skr", which will have all the keypairs.
The keyring files mentioned above house all the individual keys. When you right-click a key and export it to .asc format, you are exporting with a specific key format that PGP understands. You can export one key, or multiple keys into a single .asc file.
If you have an .asc file that you would like to import, you can typically just double-click on it.
If you have multiple keyrings and you want to import to only one keyring, then drag the key into the keyring you wish to use.
In this example, we are going to create a new keyring so that we will have the "All Keys" and a new keyring as well. To do this, click on the Keys top menu in PGP Desktop, then select "New Keyring":
When you do this, new .pkr and .skr files will be created.
The Keyring will be called "New Keyring", but you can rename this to whatever you would like (To rename, right-click and rename):
Now, you will notice no keys are included in this keyring because it is starting from scratch.
Drag a few files inside here and start populating the new keyring as you would like.
As you can see in the screenshot above, there are three keys. "User1" and "User3" are keypairs, you can see this because there are two keys for the icon. The "User2" key has only a single key, so this is an easy way to tell visually if the key is public or private.
If you want to export all these keys to a single file, highlight all the keys (ctrl + a) and then right-click the keys, and click "Export". The following screen comes up:
As you can see, you can change the filename to whatever you want, and the location. We're going to export to the "PGP Key Dump" folder we previously created.
I'll change the name to "AllUsersKeys.asc"
I am also going to check the box "Include Private Keys(s)" so that all the keypairs will be included in the export.
The result is a single .asc file:
TIP: You can actually view this file with a text editor and see each cipherblock for each key:
In the example above, we've cut out a lot of the cipherblock to show you the "PUBLIC KEY BLOCK" and "PRIVATE KEY BLOCK" entries to show you that this file has both public keys and private keys.
Now, say your keyring is empty and you would like to import .asc files to your new keyring, simply drag-and-drop the files into the empty space of the keyring:
This should pop up the following screen:
Since this import contains private keys in addition to public, you'll get the following message, just click OK:
Now the keys will be imported to your new keyring:
You can drag and drop additional keyrings and these will all be included in the "New Keyring" shown in this example, and not in the "All Keys".
Right-click the "New Keyring" to get the path where the keyring files are stored.
You will notice the keyring files are randomly named:
TIP: If you have keyrings that you would like the PGP Desktop client to use, the easiest way to do this is to create a new keyring, and then right-click the new keyring and go to properties, and browse to the other keyrings you would like to use.
Section 5 of 5: Working with Expired PGP Keys
PGP Keys can have an expiration date of "Never", or an expiration date of a particular timeframe. This Expiration date is all determined by the owner of the key, if the key is managed by the user, or it is determined by the PGP server, if it is managed by the PGP Server.
If the key is managed by the server, we call that a "Managed" client, where the PGP server will control the key settings and policies. Managed clients can use different keymodes, and this also comes into play with key renewal.
For more information on the keymode definitions, see the following article:
153249 - Symantec Encryption Management Server Key Modes
If you are a CKM or GKM key, you can control the actual expiration date of the key itself, even if you are "Managed" by the PGP server. What the PGP server does manage as far as expiration dates, is the signature on the key.
The key expiration dates for CKM/GKM are managed by the user, much like an "Unmanaged/Standalone" client.
If the key is managed solely by the user, we call that a "Standalone" or "Unmanaged" client, where the user manages all settings of keys and policies.
If you do have control of the key, and you would like to change the expiration date, open up the PGP Desktop client and double-click on the key in question that is expired.
You can tell a key is expired by looking at the icon next to it:
The little clock icon over the key indicates that there is something about the key that is expired. In this example, we can see the key itself is actually expired:
If you can see the "Change Passphrase" option on the top of the key properties, you know you will be able to change the expiration date. If you do not see this, then you either do not have a keypair, or your keymode is SKM.
SKM Keys cannot be managed by the user, because they are "Server Managed Keys", which means, the PGP server will control when it expires. The good news about SKM is that as long as the users are connected to the server, this is not typically the problem.
To update the expiration date, click on the "Expired" down arrow:
You can click on "Never" to make the key never expire, or choose a date you would like instead:
In the example above, we will select the same date, but 2030 instead and click OK. This will require a passphrase be entered:
Once the proper passphrase has been entered, the key expiration will be updated, and the icons are also updated to indicate the operation worked:
Now that the key is updated, you can export the public portion and send to your recipient and they can then start encrypting data to the key.
Until this is done, the recipients will have only the expired copy, as this will not get updated for them. Have them delete the old key, and send them the new, and this new key can then be used.
SKM Keys that expire
If you have SKM keys that have expired, the renewal period comes into play.
For more information on key renewal parameters, see the following article:
The SKM Keys that are managed on the PGP server will get automatically signed as long as the users remain active. if the user was inactive for a period, have them check in with the PGP Server, and every 12 hours a renewal process runs on the PGP server.
The key should renew at that point. If you need more guidance on this aspect, reach out to Symantec Encryption Support for further assistance.
If you have an SKM key on the PGP server that you wish to change the expiration date manually, we do not recommend doing the renewal except in the method above, but you can export the key from the PGP server, change the date, and re-upload to the server.
As mentioned, this method is not recommended and following the general information outlined above is better. If in doubt, reach out to Encryption Support for further guidance.
Attachments
Feedback
