HOW TO: Rejoin Keys in PGP Desktop 10 for Windows

Article:HOWTO42098  |  Created: 2009-10-26  |  Updated: 2012-01-27  |  Article URL http://www.symantec.com/docs/HOWTO42098
Article Type
How To



This article details the process to rejoin split keys in PGP Desktop 10.


Once a key is split among multiple shareholders, attempting to sign or decrypt with it causes PGP Desktop to attempt to rejoin the key automatically. There are two ways to rejoin the key: locally and remotely.

 

Locally:

Rejoining key shares locally requires the shareholders presence at the rejoining computer. Each shareholder is required to enter the passphrase for their key share.

 

  1. Import the saved split keypair to PGP Desktop.
  2. Contact each shareholder of the split key. To rejoin key shares locally, the shareholders of the key must be present.
  3. To temporarily rejoin the key, at the rejoining computer, use Windows Explorer to select the file(s) that you want to sign or decrypt with the split key.
  4. Right-click on the file(s) and select Sign or Decrypt from the PGP shortcut menu. The PGP Enter Passphrase for Selected Key screen appears with the split key selected.
  5. Click OK to reconstitute the selected key. The Key Share Collection screen appears.
  6. To permanently rejoin the key, right-click the split key and select Key Properties from the menu displayed. In the Key Properties dialog box, click Join Key (this button is labeled Change Passphrase for keys that are not split).
  7. When collecting the key shares locally, click Select Share File and then locate the share files associated with the split key. The share files can be collected from the hard drive, a floppy disk, or a mounted drive. Continue with the next step.
  8. Click Confirm to accept the share file.
  9. Continue collecting key shares until the value for Total Shares Collected matches the value for Total Shares Needed on the Key Shares Collection screen.
  10. Click OK.
Note: If you elected to temporarily rejoin the key in order to decrypt or sign, the file is signed or decrypted with the split key and the rejoined key is discarded.

If you elected to permanently rejoin the key, the key is saved as a fully rejoined key (and is no longer split).


 

Remotely:

Rejoining key shares remotely requires the remote shareholders to authenticate and decrypt their keys before sending them over the network. The PGP Desktop Transport Layer Security (TLS) feature provides a secure link to transmit key shares, allowing multiple individuals in distant locations to securely sign or decrypt with their key share.

To collect key shares over the network, make sure the remote shareholders have PGP Desktop installed and are prepared to send their key share file. Remote shareholders must have:

 

  • their key share files and passwords
  • a keypair (for authentication to the computer that is collecting the key shares)
  • a network connection


 

  1. To temporarily rejoin the key, at the rejoining computer, use Windows Explorer to select the file(s) that you want to sign or decrypt with the split key.
  2. Right-click on the file(s) and select Sign or Decrypt from the PGP shortcut menu. The PGP Enter Passphrase for Selected Key screen appears with the split key selected.
  3. Click OK to reconstitute the selected key. The Key Share Collection screen appears.
  4. To permanently rejoin the key, right-click the split key and select Key Properties from the menu displayed. In the Key Properties dialog box, click Join Key (this button is labeled Change Passphrase for keys that are not split).
  5. When collecting key shares over the network, click Start Network. The remote user must start PGP Desktop and select Keys > Share Key > Send Key Share. This starts the process of selecting the share file, decrypting the share file, selecting an authorization key, unlocking the authorization key, and entering the hostname/IP address of the joining computer.
  6. In the Signing Key field, select the keypair that you want to use for authentication to the remote system and enter the passphrase.
  7. Click OK to prepare the computer to receive the key shares.

    The status of the transaction is displayed in the Network Shares box. When the status changes to Listening, the PGP application is ready to receive the key shares.

    At this time, the shareholders must send their key shares. When a share is received, the Remote Authentication dialog box appears.

    Caution: If you have not signed the key that is being used to authenticate the remote system, the key is considered invalid. Although you can rejoin the split key with an invalid authenticating key, it is not recommended. You should verify each shareholders fingerprint and sign each shareholders public key to ensure that the authenticating key is legitimate.

     
  8. Click Confirm to accept the share file.
  9. Continue collecting key shares until the value for Total Shares Collected matches the value for Total Shares Needed on the Key Shares Collection screen.
  10. Click OK.

Legacy ID



1724


Article URL http://www.symantec.com/docs/HOWTO42098


Terms of use for this information are found in Legal Notices