PGP

(OpenPGP) is the open standard that defines how PGP works. It provides email encryption and digital signatures, similar to S/MIME. OpenPGP uses key pairs: a public key and a private (secret) key. Public keys can be signed by other keys to indicate trust, although in practice most keys are only self-signed. Public keys can be uploaded to public key servers so others can find them, and they can be downloaded from those servers when needed.

OpenPGP offers two encoding methods: PGP/MIME and PGP/INLINE. PGP/MIME encrypts and signs the entire email message and works well with HTML email. PGP/INLINE handles each part of the message separately, which means HTML support is limited and not all email clients can use it. Because PGP/INLINE must process every part of the message, it can require more system resources. For most users, PGP/MIME is the more compatible and straightforward choice, especially for HTML emails.

Note

We recommend using PGP/MIME because it preserves the original message structure, fully supports HTML content, and provides better performance.

PGP keyring

The PGP keyring contains all your public and secret keys. Any key that has a corresponding private key is marked with a green lock icon in the first column.

PGP keyring

A PGP key is made up of two parts: a public key and a secret (private) key. The public key is shared with others so they can encrypt messages to you and verify your signatures. The secret key is kept private and is used to decrypt messages and create digital signatures.

Most users have a master key and one or more subkeys. The master key identifies the owner and includes the User ID, which typically contains the owner’s name and email address. The master key also signs the subkeys to show they belong together. Subkeys are often used for everyday tasks like signing or encrypting, while the master key is kept more secure.

Each key or subkey can be designated for signing, for encryption, or for both, depending on how you want to use it.

Click a row in the keyring table to open the PGP key’s details page, which includes all subkeys.

Important

Never share your PGP secret keys with anyone outside your organization. For enhanced protection, store secret keys on a Hardware Security Module (HSM).

PGP key details
Key ID

The Key ID uniquely identifies a key. It is available in two formats: a long Key ID and a short Key ID. The long Key ID is derived from the lower 64 bits of the key’s fingerprint, while the short Key ID uses the lower 32 bits.

Example:

A key with for which the fingerprint is 4F1F836B90C074C7984285BC8277F1C27BBF6E41 has a long of “Key ID” 8277F1C27BBF6E41 and a short of “Key ID” 7BBF6E41

Important

Do not use short Key IDs. Identifying a key by its short ID is no longer considered secure because different keys can share the same short ID. Attackers can intentionally create keys that collide with an existing short ID.

Email

The Email field lists all addresses linked to user IDs, plus any additional addresses that an administrator has added manually.

User IDs

The User IDs field lists all user IDs associated with the primary key. Typically, a user ID includes the user’s name and email address, but this is not required; it can contain any text.

Fingerprint

The fingerprint is a 160-bit SHA-1 hash derived from the key. It serves as a unique identifier for that key.

Sha256 Fingerprint

The Sha256 fingerprint is a unique identifier for a key, generated by computing its SHA-256 hash.

Tip

The OpenPGP standard defines fingerprints using SHA-1. For stronger security and to ensure the key remains uniquely identifiable even if SHA-1 becomes insecure in the future, use the SHA-256 fingerprint.

Creation Date

The date the key was created.

Expiration Date

Optional expiration date for the key; after this date, the key is no longer considered valid.

Private Key Alias

The alias under which the certificate is stored in the keystore.

Valid for encryption

Set to True if the key is valid for encryption. Set to False otherwise.

Valid for signing

Set to True if the key is valid for signing. Set to False otherwise.

Insertion date

The date the key was added to the keyring.

Key length

The length of the PGP key.

Algorithm

The PGP key algorithm is the cryptographic method used by a key to perform operations such as encryption and digital signing. It defines how the key is generated and what it can be used for, for example, encryption only, signing only, or both. Common algorithms include RSA, Elgamal, DSA, ECDH, ECDSA, EdDSA, and Diffie-Hellman.

Master key

Set to True if the key is a master key. Set to False otherwise.

Parent ID

The database ID that holds the parent (master) key.

Valid

Indicates whether the key is trusted. Set to True if the key is valid (for example, not expired or revoked); set to False if it is not trusted.

Failure message

If the key is invalid, the failure message includes additional details to help you identify and resolve the issue.

ID

The database ID that holds the key.

Key trust

When you import PGP keys, they are not trusted automatically. In the key list, untrusted or invalid keys are shown with a red exclamation mark icon.

The trust of a key can be managed by selecting a key and then select Trust or Distrust.

PGP trust

Publish keys

When you click Submit, all selected public keys will be published to the configured public key servers.

User ID

The User ID of a master key typically includes one or more email addresses associated with that key. You can manually add additional email addresses to a PGP key. You can also associate a domain with a PGP key. When a domain is associated with a PGP key, the key is considered valid for any email address within that domain.

To manage the associated email/domain addresses, click a key and add or remove additional email addresses or domains.

PGP manage email addresses

Tip

Associating a domain with a key, can be used for domain-to-domain encryption.

Revoke keys

To revoke a selected key, click Revoke from the selection menu. You can only revoke keys whose secret key is available.

Note

After revoking a key, submit the revocation to the key servers so they mark your key as revoked.

Import keys

You can import existing public and secret PGP keys from a file by selecting Actions ‣ Import Keyring. If the secret keys file is password-protected, you will be prompted to enter the password to complete the import.

Ignore parsing errors

A single file may contain multiple secret and public key rings. If Ignore parsing errors is enabled, the import process will skip any keys that cannot be imported due to issues such as corrupted data or non-standard formats, and continue importing the remaining keys.

Export keys

To export public and private PGP keys from your keyring, select the keys you want to export, then choose Export from the selection menu.

Create keyring

To create a new master key and subkey, click Actions ‣ Create New Key.

Email address

The email address part for the “User ID”.

Key type

The type of the key to generate

Name

The name part for the “User ID”.

Find keys

You can store public keys on external key servers. This makes it easier for recipients to find keys for users outside your organization. To search for keys, open the Search keys page by selecting Actions ‣ Find keys. The default configured keyserver is https://keys.openpgp.org.

Tip

The keyserver configuration can be managed with the pgp keyserver cli commands:

ciphermail-cli pgp keyserver get config
ciphermail-cli pgp keyserver set config --key-server-urls <url>
PGP find keys on keyserver

If any keys are found, you can select the ones you want and import them.

Tip

When searching by Key ID, include the 0x prefix before the search value

Example:

Searching for a key with short “Key ID” 271AD23B, use the search string 0x271AD23B

Exact Match

When selected, the results will include only items that exactly match your query.

Auto trust on import

If enabled, imported keys will be trusted automatically.

Key selection

The gateway automatically selects the appropriate keys for encryption and for signing, so you do not need to choose them manually. Whether a key is used for encryption or signing depends on several factors. The eligibility requirements for encryption keys differ from those for signing keys.

Encryption key selection

A key is used for encryption only if it meets all of the following requirements:

  • The key must be trusted

  • The key must not be expired

  • The key must not be revoked

  • The email recipient must match an associated email address or domain of the key

  • The key must be valid for encryption

The system automatically selects an encryption key for each recipient. To see which key is chosen for a specific recipient, open the PGP Keyring page and search by their email address or domain.

To check which encryption key is selected for a recipient or a domain, open the settings for the user or domain, then open the PGP menu and choose PGP ‣ Encryption. The PGP Encryption Keys page shows the keys selected for the recipient or, if you selected a domain, for that domain. If more than one valid key is available for a recipient, the email will be encrypted with all of those keys.

Signing key selection

A key is used for signing only if it meets all of the following requirements:

  • A private key must be available

  • The key must be trusted

  • The key must not be expired

  • The key must not be revoked

  • The from sender address must match an associated email address or domain of the key

  • The key must be valid for signing

To check which encryption key is selected for a recipient or a domain, open the settings for the user or domain, then open the PGP menu and choose PGP ‣ Signing. The PGP Signing Keys page shows the key selected for the sender.

Only the selected signing key is used for signing. If multiple eligible signing keys are available, you can choose a different key by selecting it and applying the settings.