Creating new Keyrings for each specific Encryption Job with PGP Command Line
search cancel

Creating new Keyrings for each specific Encryption Job with PGP Command Line


Article ID: 269535


Updated On:


PGP Command Line Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK


PGP Command Line has the ability to encrypt large amounts of files and folders by integrating the PGP Commands into your scripting logic.

Typically "Default" keyrings are used for all of the keyring files (pubring.pkr for public keys and secring.skr for private/secret keys).  As you acquire public keys from clients or generate keypairs of your own, the list will grow.  All of these keys are stored within the default keyring location, which typically are at the following locations:



To list all keys in a keyring, simply run "pgp --list-keys" or "pgp -l" for shorthand.


There is one such known behavior where encrypting many jobs simultaneously using only one keyring may cause keyring clashing or locking.  For example, a job may run to create a new keypair that would be used for subsequent encryption for the job.  Creating a keypair periodically is not an issue, but creating hundreds of keypairs while encrypting files in succession could run into this keyring clashing/locking behavior such that a key is generated at the same time mass encryption jobs are running.

When a key is generated, it is modifying the keyring, and if mass encryption jobs are running to encrypt at the same time as multiple keyring modifications, additional issues may occur, such as "No Keys Found" errors.

When these "No Keys Found" errors occur, it may stop regular encryption, so using separate keyrings for each job should avoid this issue.



There may be reasons to use a separate keyring aside from the default or the above scenario, and for these situations it is possible to create a keyring and specify the location of the keyring. 

Although less common, this article will discuss this scenario in a little more detail and offer some logic flow for the scenario.


For this example, we have a need to encrypt a folder that contains information inside of it. 

*For each folder, we need to create a keypair, and encrypt to that keypair as part of the process.
*Each folder represented for each client will have its own keyring.

For example, you may have a 1GB chunk of data that needs to be encrypted and it is located in a location similar to the following location:


*Inside the "clientXYZ" folder is where all the files would reside, PDFs, TXT files, etc.  No other client would have their data in here except for "clientXYZ", so these folders are organized such that data for one client would never reside in other folders.
*This means that when running these jobs, only this folder is really being used for only "clientXYZ" data.
*The idea here is to create the keyring files inside of each of these folders.  

Continuing the example, for this "clientXYZ" folder, you would create another folder called "KeyringXYZ", so you will end up with another folder in the path:



Inside of the folder "KeyringXYZ" is where we want to store the keyring files for only this client. 

In other words, we don't want the keyring files to be intermixed with the default keyrings, and when we do the encryption, we will always use only these keyrings that reside inside of the "clientXYZ\KeyringXYZ" folder.


The Keyring Creation, Key Generation and Encryption Flow

Step 1: The Job is initiated and the 1GB chunk location identified via your script logic is run.  In this example, the folder "c:\jobs\clients\clientXYZ" is identified as the working directory to perform the encryption.

Step 2: Your Script logic builds the required files in order to process the folder.  

Some of these files are the the keyrings that will reside in the folder for this job, which, in this case is a folder called "KeyringXYZ".  

Step 3: Now that the path has been determined, and a keyring folder is created, we can now issue a command to create a new keyring in this folder.

To do so, the following command is issued:
pgp --create-keyrings --home-dir "c:\jobs\clients\clientXYZ\KeyringXYZ"

Upon successful completion, you will see the following returned:

"c:\jobs\clients\clientXYZ\KeyringXYZ\pubring.pkr:create keyrings (0:file created successfully)"

"c:\jobs\clients\clientXYZ\KeyringXYZ\secring.skr:create keyrings (0:file created successfully)"

Now check the "c:\jobs\clients\clientXYZ\KeyringXYZ" folder, and you will see these two files listed (bolded above).


Step 4: Now that we have new keyrings, we will issue a command to create a new key.  In this example, we will use the name "Bobby" with an Email Address of "[email protected]" with the following command:

pgp --gen-key "Bobby <[email protected]>" --key-type rsa --bits 4096 --passphrase bobby --home-dir "c:\jobs\clients\clientXYZ\KeyringXYZ"

The following will show success:

Acquiring entropy from system state....done
Generating key Bobby <[email protected]>
progress.........................................................................................................**** ............**** done
0x16ADDE8F:generate key (0:key successfully generated)
Acquiring entropy from system state....done
Generating subkey
progress..............**** ................................................................................................................................................**** done
0x653A7E4B:generate key (0:subkey successfully generated)

Tip: Not part of the flow, but for awareness, the following command will list the keyring contents, but only for the keyring in question for the "Home Directory" specified in the previous commands:

pgp --list-keys --home-dir "c:\jobs\clients\clientXYZ\KeyringXYZ"
 Alg  Type Size/Type Flags   Key ID     User ID
----- ---- --------- ------- ---------- -------
*RSA4 pair 4096/4096 [VI---] 0x16ADDE8F Bobby <[email protected]>
1 key found

Step 5: Now that we have created new "Home Directory" set of keyring files in a specific location (with --home-dir), and generated a key, we can now encrypt the contents needed.

In this test, we will encrypt a file called "bobby-test.txt", and we will use only the key in the new "KeyringXYZ" location to the key previously generated (Key ID Listed as 0x16ADDE8F):

pgp --encrypt bobby-test.txt --recipient bobby --home-dir "c:\jobs\clients\clientXYZ\KeyringXYZ" --output "c:\jobs\clients\clientXYZ\KeyringXYZ\bobbytest.pgp" --debug

Tip: The "--debug" option is used in this example to list the Key ID listed in the command, but during a normal flow, --debug is not needed:

pgp:encrypt (3157:current local time 2023-07-10T15:34:30-06:00)
c:\jobs\clients\clientXYZ\KeyringXYZ\pubring.pkr:open keyrings (1006:public keyring)
"c:\jobs\clients\clientXYZ\KeyringXYZ\keyring3\secring.skr:open keyrings (1007:private keyring)
 unhandled event 1
Checking signatures... 100%
 unhandled event 2
0x16ADDE8F:encrypt (1030:key added to recipient list)
 unhandled event 1
Checking signatures... 100%
 unhandled event 2
Encoding bobby-test.txt...
bobby-test.txt:encrypt (3048:data encrypted with cipher AES-128)
Encoding bobby-test.txt... 100% (???)
Encode complete
bobby-test.txt:encrypt (0:output file c:\jobs\clients\clientXYZ\KeyringXYZ\bobbytest.pgp)


In all of the above steps, we never used the default keyring and each of these steps involved using only the "Home Directory" specified for the keyring.

It will create a natural partition of data so that only the keys and keyrings for each specific job will be used and stored in only the location currently needing to be reviewed.

Additionally, using a new set of keyring files for each job will ensure that none of these keys are intermixed with the "Default Keyring", and will keep the default keyring more organized.
In order to use these keyrings again, simply reference the location in the Home Directory path discussed above.


For further guidance, reach out to Symantec Encryption Support.


Additional Information


180118 - HOW TO: Use PGP Command Line to Create and Manage PGP Keys