PGP keys

The PGP keyring stores all the public and secret keys. Keys with an associated private key are shown with a green lock symbol next to the Key ID.

PGP keyring

A PGP key contains two parts, a secret key and a public key (a key pair). The secret key is used for signing and decrypting of email. In most cases a PGP user has multiple key pairs. One master key and one or more sub-keys. The master key identifies the user, i.e., it contains the “User ID”, and the master key signs the sub-keys. A “User ID” typically contains the email address of the owner of the key. A PGP key can be valid for signing, for encryption or for both.

By clicking the Key ID field of a key, the details page of the PGP key, including all sub-keys, will be opened.

Important

PGP secret keys should never be shared with external recipients. For additional security, secret keys can be stored on a Hardware Security Module (HSM).

PGP key details

Key details

ID

The database ID under which this key is stored.

User IDs

The “User IDs” field contains all the “User IDs” from the master key. In most cases a “User ID” contains the user name and email address (but this is not a requirement, a “User ID” can contain anything).

Email

The email field contains all the email addresses from the “user IDs” and email addresses which were manually added by the admin.

Key ID

The “Key ID” uniquely identifies the key. There are two forms of the Key ID. A long “Key ID” and a short “Key ID”. A long “Key ID” is created by using the lower 64 bits of the fingerprint and a short “Key ID” is created by using the lower 32 bits of the fingerprint.

Example

A key with for which the fingerprint is 4F1F836B90C074C7984285BC8277F1C27BBF6E41 has a long of “Key ID” 8277F1C27BBF6E41 and a short of “Key ID” 7BBF6E41

Important

A short “Key ID” should no longer be used because it is no longer secure to identify a key only by it’s short “Key ID”. It is easy to create keys for which the short “Key ID” collides with an existing key.

Parent Key ID

If the key is sub-key, the “Parent Key ID” points to the master key that owns the sub-key. The “Parent Key ID” is empty if the key is a master key.

Creation Date

The date the key was created.

Expiration Date

If set, the date after which the key should no longer be used.

Updated

The date at which the key was stored on the gateway or when the key was updated.

Private key available

Set to True if a private key (secret key) is available for the PGP key. Set to False otherwise.

Valid for encryption

Set to True if the key is valid for encryption. Set to False otherwise.

Valid for signing

Set to True if the key is valid for signing. Set to False otherwise.

Fingerprint

The “Fingerprint” is the 160-bit SHA-1 hash of the key. A “Fingerprint” uniquely identifies a key.

Sha256 Fingerprint

The “Fingerprint” is the SHA-256 hash of the key. A “Fingerprint” uniquely identifies a key.

Note

The OpenPGP specifications require that the fingerprint is created using SHA1. SHA256 is however more secure. To uniquely identify the key even if SHA1 is at some point no longer secure, use the SHA256 fingerprint.

Key length

The length of the PGP key.

Master key

Set to True if the key is a master key. Set to False otherwise.

Parent ID

The database ID under which the parent key (i.e., the master key) is stored.

Valid

Set to True if the key is trusted, i.e., not expired, not revoked etc. Set to False otherwise.

Failure message

If a key is not valid, the “Failure message” contains additional information.

Key trust

By default imported PGP keys are not trusted. A key which is trusted is printed with a white background and a key which is not trusted is printed with a gray background (see image above). A key can also expire (this can happen if the key has an expiration date). A key which is expired is printed with a yellow background. A key can also be revoked. A key can be revoked by the owner of the key to indicate that the key should no longer be used. A revoked key is printed with a red background.

The trust of a key can be managed by clicking Key trust on the key details page.

Trust level

A key can be “Trusted” or “Not trusted”. If the trust level is not selected, the trust level is set to “Undefined”.

Include sub keys

If “Include sub keys”, the selected trust level will also be applied to all the sub keys of the master key.

Publish public key

By clicking Publish public key, the public master and sub-keys will be published to the registered public key servers.

Email addresses

The “User ID” of a master key in most cases contains one or more email address associated with the key. The gateway allows the administrator to associate additional email addresses with the key. Existing email addresses can also be dissociated, i.e., removed. The email addresses associated with the key can be edited by clicking Email addresses.

Note

A domain can also be associated with a key. If a domain is associated with a key, the key will be used for any email address from that domain. This can be used to setup PGP domain to domain encryption.

Revoke key

A key can be revoked by clicking Revoke key. Only a key for which the secret key is available can be revoked.

Note

If a key is revoked, upload the key to the key servers to make sure the key servers also revoke your key.

Importing keys

Existing public and secret PGP keys can be imported from file by clicking Import keyring on the left-hand side menu. When importing a password protected secret keys file, the password for the secret keys must be specified.

Ignore parsing errors

A file can contain multiple secret and public key rings. If “Ignore parsing errors” is enabled, importing will skip a faulty key if the key could not be imported because of some error (for example if the key is faulty or uses some non-standard format).

Create keyring

A new master and sub-key for a user can be created by clicking Create keyring on the left-hand side menu. The “User ID” of the generated master key will be set to Name <Email address>

Email address

The email address part for the “User ID”.

Name

The name part for the “User ID”.

Key size

The size of the PGP key to generate.

Publish the generated key to the remote key servers

If set, the newly generated key will be uploaded to the registered key servers.

Search keys

Public keys can be stored on external key servers. Storing a public key makes it easier for recipients to find keys for external users. Keys can be searched on the “Search keys” page which can be opened by clicking Search keys on the left-hand side menu. The key servers which are registered (by default ha.pool.sks-keyservers.net) are searched.

Note

If searching for “Key ID”, the search key must be prefixed with 0x

Example

Searching for a key with short “Key ID” 271AD23B, use the search string 0x271AD23B

If keys are found, the keys can be selected and imported.

Exact matches only

If selected, Only exact matches will be returned

Automatically trust imported key

If set, the imported keys are automatically trusted.

Key servers

The list of key servers which will be queried when searching or publishing keys. Only HTTP Keyserver Protocol (HKP) is supported.

Key selection

The gateway will automatically select the keys for encryption and signing. Whether or not a key is used for encryption and/or signing depends on a number of factors. The requirements for encryption keys are different then the requirements for signing keys.

Encryption key selection

A key will be used for encryption if the following key requirements are met:

  • The key must be trusted

  • The key must not be expired

  • The key must not be revoked

  • The email recipient must match an associated email address or domain of the key

  • The key must be valid for encryption

The encryption key will be automatically selected for every recipient. To check which keys are selected for a recipient a search for the email address (or domain) can be executed on the PGP keyring page.

Another way to check which key is selected for a recipient or domain is by adding a user or domain and selecting Encryption keys from the PGP pull-down menu on the user or domains settings page. The selected encryption keys for the recipient (or recipients domain if a domain was selected) will be shown on PGP encryption key page. If there are multiple valid keys available for a recipient, the email will be encrypted with multiple keys.

PGP encryption key selection

Signing key selection

A key will be used for signing if the following key requirements are met:

  • A private key must be available

  • The key must be trusted

  • The key must not be expired

  • The key must not be revoked

  • The from sender address must match an associated email address or domain of the key

  • The key must be valid for signing

The signing key will be automatically selected for a sender. To check which signing key is selected, add a user or domain and select Signing key from the PGP pull-down menu on the user or domains settings page. The selected signing key for the sender (or senders domain if a domain was selected) will be shown on PGP signing key page.

Only the selected signing key will be used for signing. If there are multiple keys which can be used for signing are available, a new signing key can be set by selecting the signing key and applying the settings.