Video Screencast Help

Step by Step guide to create and use symmetric keys with PGP KMS

Created: 08 Apr 2011 • Updated: 05 Jul 2011
Language Translations
Andreas Zengel's picture
0 0 Votes
Login to vote

This step-by-step guide shows how PGP Command Line can be used together with the PGP Key Management Server to create symmetric key series and how those can be used to encrypt data.
 
The example steps below will create a new MAK (Managed Asymmetric Key), then create a new Managed Encryption Key Series (MEK Series) that is bound to this MAK. The next steps will modify some properties of the MEK series and create new keys in the series.
 
Preparation:

Use PGP Universal Server Management console and go to Consumers-Users-Add Users-Internal User-Manual Creation
Create a new internal user consumer named "testuser1" with passphrase "password".  
 
Assign the following permissions for this consumer:

  • Can create managed key
  • Can create symmetric key Series
  • Steps to perform via PGP Command Line

 
1. Authenticate the consumer and cache authentication

 pgp --usp-server keys.senderdomain.com --auth-username testuser1 --auth-passphrase password --usp-cache-auth
 keys.senderdomain.com:USP cache auth (0:Authentication cached)

2. Create a new MAK that we use as container for the symmetric key series

 pgp --usp-server keys.senderdomain.com --create-mak --name "MakForMekSeries1"
 MakForMekSeries1:create MAK (0:Created as bbf7a901-28cd-41ad-adb2-123742fd6343)

3. Create a new MEK Series under this MAK (provide UUID of MAK created in step 2)

 pgp --usp-server keys.senderdomain.com --create-mek-series --name "MekSeries1" --parent bbf7a901-28cd-41ad-adb2-123742fd6343
 MekSeries1:create MEK Series (0:Created as 563fb515-1369-40d6-b23d-1fef0638eecb)

4. Display the default properties for this new MEK Series (provide UUID of MEK Series created in step 3)

 pgp --usp-server keys.senderdomain.com --details --search-mek-series 'EQ(UUID,"563fb515-1369-40d6-b23d-1fef0638eecb")'
MEK Series Details: MekSeries1
 UUID: 563fb515-1369-40d6-b23d-1fef0638eecb
 Number of MEKs in series: 0
 Creation time: 2010-06-30
 End of life: 1969-12-31
 Validity (sec): 0

5. Change the validity duration for each MEK in this MEK Series to 1 day (86.400 seconds) (Provide UUID of MEK Series created in step 3)

 pgp --usp-server keys.senderdomain.com --edit-mek-series 563fb515-1369-40d6-b23d-1fef0638eecb --validity-duration 86400
 MekSeries1:edit MEK series (0:MEK series validity duration set)
 MekSeries1:edit MEK series (0:MEK series edited successfully)

6. Change the End-Of-Life date for the MEK series (Provide UUID of MEK Series created in step 3)

Time fields represent the date and time, per RFC-8601. You must specify time using UTC (). The format of the date/time string is: YYYY-MM-DDTHH:MM:SSZ
Where:

  • YYYY is the year, in four digits.  
  • MM is the month, in two digits (with leading zero where necessary).  
  • DD is the day, in two digits (with leading zero where necessary).  
  • T indicates that a specific time follows.  
  • HH is the hour, in two digits (with leading zero where necessary).  
  • MM is minutes, in two digits (with leading zero where necessary).  
  • SS is seconds, in two digits (with leading zero where necessary).  
  • Z indicates a time zone.  

Therefore we can use the time formats '2011-09-29T13:45:00Z' or '2011-09-29'

 pgp --usp-server keys.senderdomain.com --edit-mek-series 563fb515-1369-40d6-b23d-1fef0638eecb --end-of-life 2014-09-29T13:45:00Z
 MekSeries1:edit MEK series (0:MEK series end of life set)
 MekSeries1:edit MEK series (0:MEK series edited successfully)

7. Create a new (initial) symmetric key (MEK) in the MEK series (Provide UUID of MEK Series created in step 3)

 pgp --usp-server keys.senderdomain.com --create-mek --parent 563fb515-1369-40d6-b23d-1fef0638eecb
 563fb515-1369-40d6-b23d-1fef0638eecb:create MEK (0:Active MEK: 3679bd12-f469-40b8-ae3c-2988edeeed6a)

8. Encrypt a file to the MEK Series (Provide UUID of MEK Series created in step 3)

Encrypting a file to a MEK Series will always use the current MEK in the MEK series to encrypt to. The MEK series can be given as --recipient and you can specify either the UUID of the MEK Series or the UUID of the MEK series

 pgp --usp-server keys.senderdomain.com --symmetric --armor --input plaintext.txt --output encrypted.sym.pgp --recipient MekSeries1
 plaintext.txt:encrypt (0:output file encrypted.sym.pgp)

9a. Decrypt the file if the MEK from step 7 is still active

 pgp --usp-server keys.senderdomain.com --decrypt encrypted.sym.pgp -o decrypted1.txt --decrypt-with  MekSeries1
 encrypted.sym.pgp:decrypt (0:output file decrypted1.txt)

9b. Decrypt the file using the MEK UUID (Provide UUID of MEK created in step 7)

 pgp --usp-server keys.senderdomain.com --decrypt encrypted.sym.pgp -o decrypted2.txt --decrypt-with 3679bd12-f469-40b8-ae3c-2988edeeed6a
 encrypted.sym.pgp:decrypt (0:output file decrypted2.txt)

 

A text file with those commands is attached: