HOW TO: Split and Rejoin PGP Desktop 8.x keys

Article:HOWTO41916  |  Created: 2006-03-14  |  Updated: 2012-02-02  |  Article URL http://www.symantec.com/docs/HOWTO41916
Article Type
How To




This article describes how to split and rejoin PGP Desktop 8.x keys in Windows 98, ME, NT,2000, and XP.


Any private key may be split into shares among multiple shareholders. In order to sign or decrypt files with a split key, the key must be rejoined by the minimum number of shareholders, which is designated at the time the key is split. This is recommended for extremely high security keys (such as ADKs).

 

Note: When a key is split, it is divided into .shf files (shareholder files). These shareholder files are necessary for rejoining the key later.

 

Create a split key 

  1. Open PGPkeys (click the PGPtray icon, then click PGPkeys).
  2. Right click on the keypair which will be split, then click Share Split. The Split PGP Key window opens.
  3. You may add shareholders by dragging their keys from the PGP keys window into the Shareholders window. If a shareholder does not have a PGP key, click the Add button and allow them to type in their name and a passphrase.
  4. Once you have added all the shareholders, set the number of shares required to decrypt or sign (in the bottom right corner). This will be the minimum number of shareholders required to rejoin the key. By default each key or name is one shareholder. To increase the number of shares a key or name holds, select it in the Shareholders window then adjust the number immediately below the window.
  5. Click the Split Key button.
  6. Browse to the location where the individual .shf files (.share files) will be saved, then click OK.
  7. Enter the original passphrase of the key being split, then click OK
  8. Read the PGP Warning message, then click Yes. The key will be split, and the shareholder files will be created in the location you specified.
  9. Each shareholder should now take a copy of their shareholder file, and the original shareholder files should be deleted.

 

Rejoin a split key to sign or decrypt files 

Note: You may rejoin a split key with local share files, remote share files, or a combination of both. This section will discuss rejoining with local shares and remote shares.


 

Rejoin Locally

 

  1. At the rejoining computer, right click on the file to be signed or decrypted.
  2. Point to PGP, then click Sign or Decrypt & Verify. The Enter Passphrase box appears.
  3. Click OK to begin rejoining the key. The Key Share Collection box appears.
  4. Click the Select Share File button.
  5. Browse to and select a share file, then enter its passphrase and click OK. Repeat this step until the required number of shareholders is reached.
  6. Click OK on the Key Share Collection box, and the file will be signed or decrypted.

 

Rejoin remotely

When a split key is rejoined over a network, it happens securely over an encrypted connection.

 

  1. At the rejoining computer, right click on the file to be signed or decrypted.
  2. Point to PGP, then click Sign or Decrypt & Verify . The Enter Passphrase box appears.
  3. Click OK to begin rejoining the key. The Key Share Collection box appears.
  4. Click the Start Network button.
  5. From the drop-down menu, select the key which will be remotely authenticated, enter its passphrase, then click OK. The status will now change to 'Listening', which means the host machine is ready to receive remote shares. NOTE: Steps 6-10 must now be completed by the remote shareholder(s).
  6. Click the File menu in PGPkeys, then click Send Key Shares.
  7. Browse to the necessary share file and click Open.
  8. Enter the passphrase associated with the share file, and click OK. (The Send Key Shares window now opens.)
  9. Enter the IP address of the rejoining computer, then click Send Shares.
  10. Both users should now verify the finger print of the authenticating key, then click the Confirm button. At this point the remote user is told that the share was sent successfully, and the user at the rejoining computer sees that the remote share has been added to the list of collected shares. Have each remote user complete steps 6-10 until the required number of shareholders is reached.
  11. On the rejoining computer, click OK on the Key Share Collection box, and the file will be signed or decrypted.

 

Rejoin a split key permanently 

Note: Once a split key is rejoined permanently, it will render all its share files invalid. In addition, the rejoined key must be assigned a new passphrase.


 

  1. At the rejoining computer, open PGPkeys.
  2. Right click on the key to be rejoined, then click Key Properties.
  3. Click the Join Key button.
  4. Follow the steps in either of the previous two sections to collect the number of required shares locally or remotely.
  5. Click OK on the Key Share Collection box.
  6. Enter and confirm a new passphrase for the key being rejoined, then click OK.
  7. Click OK on the dialog box notifying you that the key has been rejoined, and all old share files for this key are no longer valid.

Legacy ID



234


Article URL http://www.symantec.com/docs/HOWTO41916


Terms of use for this information are found in Legal Notices