The PGP keyring stores all the public and secret keys. Keys with an associated private key are shown with a green lock symbol next to the Key ID.
A PGP key contains two parts, a secret key and a public key (a key pair). The secret key is used for signing and decrypting of email. In most cases a PGP user has multiple key pairs. One master key and one or more sub-keys. The master key identifies the user, i.e., it contains the “User ID”, and the master key signs the sub-keys. A “User ID” typically contains the email address of the owner of the key. A PGP key can be valid for signing, for encryption or for both.
By clicking the Key ID field of a key, the details page of the PGP key, including all sub-keys, will be opened.
PGP secret keys should never be shared with external recipients. For additional security, secret keys can be stored on a Hardware Security Module (HSM).
- The database ID under which this key is stored.
- User IDs
- The “User IDs” field contains all the “User IDs” from the master key. In most cases a “User ID” contains the user name and email address (but this is not a requirement, a “User ID” can contain anything).
- The email field contains all the email addresses from the “user IDs” and email addresses which were manually added by the admin.
- Key ID
The “Key ID” uniquely identifies the key. There are two forms of the Key ID. A long “Key ID” and a short “Key ID”. A long “Key ID” is created by using the lower 64 bits of the fingerprint and a short “Key ID” is created by using the lower 32 bits of the fingerprint.
Example: A key with for which the fingerprint is
4F1F836B90C074C7984285BC8277F1C27BBF6E41has a long of “Key ID”
8277F1C27BBF6E41and a short of “Key ID”
A short “Key ID” should no longer be used because it is no longer secure to identify a key only by it’s short “Key ID”. It is easy to create keys for which the short “Key ID” collides with an existing key.
- Parent Key ID
- If the key is sub-key, the “Parent Key ID” points to the master key that owns the sub-key. The “Parent Key ID” is empty if the key is a master key.
- Creation Date
- The date the key was created.
- Expiration Date
- If set, the date after which the key should no longer be used.
- The date at which the key was stored on the gateway or when the key was updated.
- Private key available
- Set to True if a private key (secret key) is available for the PGP key. Set to False otherwise.
- Valid for encryption
- Set to True if the key is valid for encryption. Set to False otherwise.
- Valid for signing
- Set to True if the key is valid for signing. Set to False otherwise.
- The “Fingerprint” is the 160-bit SHA-1 hash of the key. A “Fingerprint” uniquely identifies a key.
- Sha256 Fingerprint
- The “Fingerprint” is the SHA-256 hash of the key. A “Fingerprint” uniquely identifies a key.
The OpenPGP specifications require that the fingerprint is created using SHA1. SHA256 is however more secure. To uniquely identify the key even if SHA1 is at some point no longer secure, use the SHA256 fingerprint.
- Key length
- The length of the PGP key.
- Master key
- Set to True if the key is a master key. Set to False otherwise.
- Parent ID
- The database ID under which the parent key (i.e., the master key) is stored.
- Set to True if the key is trusted, i.e., not expired, not revoked etc. Set to False otherwise.
- Failure message
- If a key is not valid, the “Failure message” contains additional information.
By default imported PGP keys are not trusted. A key which is trusted is printed with a white background and a key which is not trusted is printed with a gray background (see image above). A key can also expire (this can happen if the key has an expiration date). A key which is expired is printed with a yellow background. A key can also be revoked. A key can be revoked by the owner of the key to indicate that the key should no longer be used. A revoked key is printed with a red background.
The trust of a key can be managed by clicking Key trust on the key details page.
- Trust level
- A key can be “Trusted” or “Not trusted”. If the trust level is not selected, the trust level is set to “Undefined”.
- Include sub keys
- If “Include sub keys”, the selected trust level will also be applied to all the sub keys of the master key.
Publish public key¶
By clicking Publish public key, the public master and sub-keys will be published to the registered public key servers.
The “User ID” of a master key in most cases contains one or more email address associated with the key. The gateway allows the administrator to associate additional email addresses with the key. Existing email addresses can also be dissociated, i.e., removed. The email addresses associated with the key can be edited by clicking Email addresses.
A domain can also be associated with a key. If a domain is associated with a key, the key will be used for any email address from that domain. This can be used to setup PGP domain to domain encryption.
A key can be revoked by clicking Revoke key. Only a key for which the secret key is available can be revoked.
If a key is revoked, upload the key to the key servers to make sure the key servers also revoke your key.
Existing public and secret PGP keys can be imported from file by clicking Import keyring on the left-hand side menu. When importing a password protected secret keys file, the password for the secret keys must be specified.
- Ignore parsing errors
- A file can contain multiple secret and public key rings. If “Ignore parsing errors” is enabled, importing will skip a faulty key if the key could not be imported because of some error (for example if the key is faulty or uses some non-standard format).
A new master and sub-key for a user can be created by clicking Create keyring on the left-hand side menu. The “User ID” of the generated master key will be set to
Name <Email address>
- Email address
- The email address part for the “User ID”.
- The name part for the “User ID”.
- Key size
- The size of the PGP key to generate.
- Publish the generated key to the remote key servers
- If set, the newly generated key will be uploaded to the registered key servers.
Public keys can be stored on external key servers. Storing a public key makes it easier for recipients to find keys for external users. Keys can be searched on the “Search keys” page which can be opened by clicking Search keys on the left-hand side menu. The key servers which are registered (by default
ha.pool.sks-keyservers.net) are searched.
If searching for “Key ID”, the search key must be prefixed with
Example: Searching for a key with short “Key ID”
271AD23B, use the search string
If keys are found, the keys can be selected and imported.
- Exact matches only
- If selected, Only exact matches will be returned
- Automatically trust imported key
- If set, the imported keys are automatically trusted.
The list of key servers which will be queried when searching or publishing keys. Only HTTP Keyserver Protocol (HKP) is supported.
The gateway will automatically select the keys for encryption and signing. Whether or not a key is used for encryption and/or signing depends on a number of factors. The requirements for encryption keys are different then the requirements for signing keys.
Encryption key selection¶
A key will be used for encryption if the following key requirements are met:
- The key must be trusted
- The key must not be expired
- The key must not be revoked
- The email recipient must match an associated email address or domain of the key
- The key must be valid for encryption
The encryption key will be automatically selected for every recipient. To check which keys are selected for a recipient a search for the email address (or domain) can be executed on the PGP keyring page.
Another way to check which key is selected for a recipient or domain is by adding a user or domain and selecting Encryption keys from the PGP pull-down menu on the user or domains settings page. The selected encryption keys for the recipient (or recipients domain if a domain was selected) will be shown on PGP encryption key page. If there are multiple valid keys available for a recipient, the email will be encrypted with multiple keys.
Signing key selection¶
A key will be used for signing if the following key requirements are met:
- A private key must be available
- The key must be trusted
- The key must not be expired
- The key must not be revoked
- The from sender address must match an associated email address or domain of the key
- The key must be valid for signing
The signing key will be automatically selected for a sender. To check which signing key is selected, add a user or domain and select Signing key from the PGP pull-down menu on the user or domains settings page. The selected signing key for the sender (or senders domain if a domain was selected) will be shown on PGP signing key page.
Only the selected signing key will be used for signing. If there are multiple keys which can be used for signing are available, a new signing key can be set by selecting the signing key and applying the settings.