This article will go over the basics of PGP keys and how to create some keyrings as well as keypairs and how to change the passphrase of this key.
PGP encryption (Symantec Encryption Desktop) is based on public-key cryptography. In order to use PGP you must create a PGP keypair, which consists of a public key and a private key.
Your public key should be given to anyone who wishes to send you encrypted data.
Your private key, however, should never be given to others, and its passphrase should be kept totally secret.
When someone wishes to send you encrypted data they use your public key to encrypt the data, which changes the data into encrypted content so only the intended recipients can decrypt.
Once the data is encrypted with your public key, it may only be decrypted by your private key, for which only you know the passphrase. Thus when you want to send someone encrypted data, you use their public key to encrypt the data, which may then only be decrypted by their private key.
When data is encrypted with a public key, it is common to say that the data was encrypted 'to' the public key.
TIP: For more information about public-key cryptography, refer to a great historical PGP document 'Intro to Crypto' document provided at the bottom of this article as an attachment. The article is old, and is considered rich PGP history, but is still current in concepts and is great for anyone who would like to learn more about Cryptography!
Caution: If you lose your private key or forget its passphrase, you will be unable to decrypt any data which was encrypted to the public portion of your keypair. Therefore it is very important to remember your passphrase and have a back-up copy of your keypair.
Key Reconstruction is an option that could potentially help you recover from this situation. For more information about this, see the following articles:
180130 - HOW TO: Reconstruct Your Private Key for Windows
153258 - Key Reconstruction - PGP Desktop
Create a PGP Keypair
Open the PGP keys window (click the gray padlock in your system tray, PGPtray icon, then click PGP keys).
To begin creating a new keypair, click the File menu, then click New PGP Key.
When the PGP Key Generation Welcome Screen appears, click Next. If you are an experienced user and wish to specify the type, size, or expiration date of your keypair, click the "Advanced..." button.
Enter your name and Email address, then click Next. (You can leave email address off if this does not apply to the key).
Enter and confirm a passphrase for your private key, then click Next.
TIP: PGP is only as strong as your passphrase so choose a strong passphrase!
Your passphrase is case-sensitive. If your passphrase is not 8 characters or longer, you may either click Next on the following screen, or click back to lengthen your passphrase.
After your PGP keypair has been generated, click Next.
To complete the keypair generation, click Finish. You will now see your new keypair in your PGP keys window, expanded to show your email address and digital signature.
You do not need to submit your PGP key on the Keyserver repository, this is completely option as a standalone client.
Import a PGP key
To import PGP key:
Open the PGP keys window (click the gray padlock in your system tray, your PGPtray icon, then click PG Pkeys).
To import a key (or keypair), click the Keys menu, then click Import.
Browse to the key you wish to import, then click Open.
When the Select Keys window appears, make sure the key you wish to import is highlighted, then click the Import button.
If you are importing your own public/private keypair, click OK on the PGP information box.
Right click on the newly-imported keypair, then click Properties.
Click the Implicit Trust checkbox, then click Close.
Change your keyring, or create a new one
Click the PGPtray icon (gray or gold padlock), then click Options.
Click the Files tab.
To change your current keyrings to a different set of keyrings, type the location of (or browse to) the desired public and private keyring files, then click OK.
To create brand new, and empty, keyring files, simply enter (or browse to) the desired location, then type a name for your new public and private keyring files.
When you click OK, you will be told that the files you specified will be created. Click 'No' twice if you want new and empty keyrings. Click Yes twice if you want to copy your existing keyrings to the new location.
Changing the passphrase of an existing key
1. To change the passphrase of your PGP key, and you already know the passphrase, open Symantec Encryption Desktop (PGP Desktop) and click on PGP Keys:
2. You will see a list of all your keys. Look for the key in question that you would like to change the passphrase for. Double-click on that key to open the key properties:
Notice the "Change Passphrase" option above. Click this and you will be prompted to enter the current passphrase:
Once the proper passphrase is entered, now enter a new passphrase and confirm:
Once the new passphrase is entered, click Finish. No confirmation will be seen, but the new passphrase should now take effect.
Go through the same steps above to confirm.
PGP Desktop has its own default keyring that will be used out of the box, but you can also have additional keyrings if you would like to have a unique set of keys.
As an example, if you open of the PGP Desktop client, you'll see the "All Keys" listed:
This is the default keyring. Right-click All Keys, and select "Properties" and you will see the location of the two keyring files:
As you can see, there is the "Public" keyring "pubring.pkr", which will have only public keys.
You will also see the "Private" or "Secret" keyring, "secring.skr", which will have all the keypairs.
The keyring files mentioned above house all the individual keys. When you right-click a key and export it to .asc format, you are exporting with a specific key format that PGP understands. You can export one key, or multiple keys into a single .asc file.
If you have an .asc file that you would like to import, you can typically just double-click on it.
If you have multiple keyrings and you want to import to only one keyring, then drag the key into the keyring you wish to use.
In this example, we are going to create a new keyring so that we will have the "All Keys" and a new keyring as well. To do this, click on the Keys top menu in PGP Desktop, then select "New Keyring":
When you do this, new .pkr and .skr files will be created.
The Keyring will be called "New Keyring", but you can rename this to whatever you would like (To rename, right-click and rename):
Now, you will notice no keys are included in this keyring because it is starting from scratch.
Drag a few files inside here and start populating the new keyring as you would like.
As you can see in the screenshot above, there are three keys. "User1" and "User3" are keypairs, you can see this because there are two keys for the icon. The "User2" key has only a single key, so this is an easy way to tell visually if the key is public or private.
If you want to export all these keys to a single file, highlight all the keys (ctrl + a) and then right-click the keys, and click "Export". The following screen comes up:
As you can see, you can change the filename to whatever you want, and the location. We're going to export to the "PGP Key Dump" folder we previously created.
I'll change the name to "AllUsersKeys.asc"
I am also going to check the box "Include Private Keys(s)" so that all the keypairs will be included in the export.
The result is a single .asc file:
TIP: You can actually view this file with a text editor and see each cipherblock for each key:
In the example above, we've cut out a lot of the cipherblock to show you the "PUBLIC KEY BLOCK" and "PRIVATE KEY BLOCK" entries to show you that this file has both public keys and private keys.
Now, say your keyring is empty and you would like to import .asc files to your new keyring, simply drag-and-drop the files into the empty space of the keyring:
This should pop up the following screen:
Since this import contains private keys in addition to public, you'll get the following message, just click OK:
Now the keys will be imported to your new keyring:
You can drag and drop additional keyrings and these will all be included in the "New Keyring" shown in this example, and not in the "All Keys".
Right-click the "New Keyring" to get the path where the keyring files are stored.
You will notice the keyring files are randomly named:
TIP: If you have keyrings that you would like the PGP Desktop client to use, the easiest way to do this is to create a new keyring, and then right-click the new keyring and go to properties, and browse to the other keyrings you would like to use.