Organizations that rely on files encrypted with OpenPGP need a fast, reliable way to encrypt and decrypt OpenPGP files. They also need a method of ensuring the people who handle OpenPGP files can easily create and open these files. OpenPGP users identify themselves, and develop trust through public and private keys.
PKWARE provides SecureZIP to encrypt and decrypt strongly-encrypted files using passphrases, X.509 certificates and OpenPGP keys. SecureZIP Server eBusiness Edition includes PKWARE Key Maker to allow you to create and manage OpenPGP keys. This guide will walk you through the basics of using PKWARE Key Maker. Key Maker also features a graphical interface that allows you to work with OpenPGP keys in a familiar point-and-click manner. This help system offers assistance in carrying out Key Maker tasks.
For more information about SecureZIP, see http://www.pkware.com/software/securezip/
Use of PKWARE Key Maker is covered under the terms and conditions of your SecureZIP license agreement.
Some organizations use encryption tools based on the OpenPGP standard, rather than X.509. OpenPGP uses the same basic Public Key Infrastructure principles for exchanging encrypted files, but uses a decentralized “Web of Trust” method of authenticating signatures.
SecureZIP extracts and decrypts files that comply with the OpenPGP specification defined by the Internet Engineering Task Force RFC 4880. SecureZIP can also create OpenPGP-compliant files and sign files with OpenPGP keys.
OpenPGP keys are typically created by individuals, and authenticated by other individuals. In the real world, you have friends who can vouch that you are who you say you are. If you walk into a room full of strangers, your friend can introduce you to the people he knows. Since you trust that your friend is correctly identifying his friends and acquaintances, your trust extends to his friends too.
When you translate the above experience to the electronic, OpenPGP world, it works this way: You create an OpenPGP key to identify yourself. When a friend comes to visit, display the key. The friend can now sign your key (often called “key signing”) and certify that this key represents you. Now everyone who trusts the person who signed your key can also trust that your key is authentic. A Web of Trust is developed as more people authenticate each key. Everyone in the Web of Trust can also exchange messages in the OpenPGP format.
In order to use OpenPGP keys with SecureZIP, they must first be generated and stored in an OpenPGP compliant key repository. Typically, this repository is a keyring file. OpenPGP public keys are stored in a public keyring file. While not required by the OpenPGP standard, or by PKWARE Key Maker, public keyring files usually have a file extension of .pkr. OpenPGP secret keys are stored in a secret keyring file. Secret keyring files usually have a file extension of .skr. Other file extensions may be used for keyring files. PKWARE recommends using the .pkr and .skr file extensions respectively when referencing public and secret keyring files, but other keyring file extensions can be used with this program. The PKWARE Key Maker program provides a means of creating OpenPGP keys and keyring files for use with SecureZIP.
Where your keyring is stored may depend on the software used to create the keyring. Most OpenPGP tools for Windows (including PKWARE Key Maker) store the keyring file by default in C:\users\<username>\My Documents\pgp. GnuPG stores the keyring file in C:\users\<username>\APPDATA\Roaming\gnupg. On UNIX and Linux systems, keyrings are typically stored in /home/<username>/ .pgp or /home/<username>/.gnupg directory.
PKWARE Key Maker by default searches these locations for existing keyrings.
Use the Key Maker Settings dialog box to define your existing public and private keyrings if they are not stored in either of the default folders.
To generate a new OpenPGP public/private key pair:
3. (Optional) Set an expiration date for this key.
4. Click OK to create key pair.
Establish trust relationships with other OpenPGP keys by signing these keys.
5. Expires on: Check the box, and assign an expiration date to your signature.
Click OK to sign the key.
To remove an OpenPGP key from a keyring:
CAUTION: Only remove keys that are not associated with any OpenPGP file or message.
When you click to select a key from your keyring, Key Maker displays the following information:
Primary User ID
The userid value can contain a name, email address and comment; for example: Tom <email@example.com>
Used to identify a particular OpenPGP key by its unique key ID. The short KeyID (displayed first) are the last eight characters of the Fingerprint (listed below), and the long KeyID (in parentheses) are the last 16 characters of the Fingerprint
Public or Key Pair (public and private)
Number of bits in the key
Whether a key is valid, revoked, disabled, or expired
Assigns the level of scrutiny the person associated with this key gives before signing another key. When first created, the key's trust level is Unknown. Other trust levels include Marginal, Complete and None. The Implicit trust level should only be assigned to your own keys.
Date the key was created
Date the key is no longer valid
A list of encryption algorithms marked as "preferred" for people using the key. Keys made by Key Maker specify these algorithms (in order): AES-256, AES-192, AES-128, CAST5, and 3DES.
The complete unique string of characters for this key.
Common name and email address associated with this key
This field will always be UserID
Specifies the encryption algorithm used to sign the key. DSA keys can only sign. RSA keys are also used to encrypt.
Signed User ID
Identifies the key that's been signed. This value can contain a name, email address and a comment of the signee.
Name (and often the email address) of the signer.
Signer Key ID
The unique eight-character ID for the signer
Date the signature was created
Expiration date of the signature, if any.
You can attach a subkey to any primary public/private key pair to use the same key pair to sign and encrypt files. If your sub key is compromised, you don't need to revoke your master key.
The unique identifying ID for the subkey
Specifies the algorithm used to encrypt the subkey. RSA, ElGamal, or DSA (if this is an additional signing subkey)
Date the subkey was created
Date the subkey is no longer valid
The length (in bits) of the subkey
Whether the subkey is expired or revoked
Most OpenPGP tools for Windows (including PKWARE Key Maker) store the keyring file by default in C:\users\<username>\My Documents\pgp. GnuPG stores the keyring file in C:\users\<username>\APPDATA\Roaming\gnupg. On UNIX and Linux systems, keyrings are typically stored in /home/<username>/ .pgp or /home/<username>/.gnupg directory.
PKWARE Key Maker searches these locations for existing keyrings. If your keyring is not in one of these default locations, use the Key Maker Settings dialog box to identify the appropriate keyring.
When you have made your changes, Key Maker will always place new generated keys in the defined keyring. It will also use the defined keyrings for other operations (such as Import and Export).
You can add a second UserID to a key if you want separate identities for different uses (personal and business, for example). To do this:
Most OpenPGP keys have at least one subkey. You can attach a subkey to any primary public/private key pair to use the same key pair to sign and encrypt files. If your subkey is compromised, you only need to revoke the subkey, not your master key.
To add a subkey:
Use this command to export keys and keyrings from one location to another. In the command line interface, you can use the Copy command for this operation. This command allows you to copy one or more public keys or a keyring to another public keyring, or copying of one ore more secret keys or keyring to another secret keyring.
To export keys:
Use this command to import keys and keyrings from one location to another. In the command line interface, you can use the Copy command for this operation. This command allows copying of one or more public keys or a keyring to another public keyring, or copying of secret keys or keyring to another secret keyring.
To import a single key to the existing keyring:
The Key Maker graphical interface lets you perform common and simple tasks with OpenPGP keys.
Key Maker on the command line (included in SecureZIP Server eBusiness Edition) has many more capabilities and options, but also does the basic tasks that the graphical interface handles. This table identifies the equivalent CLI commands.
Add a UserID to a Key
|Task||CLI Command||GUI Equivalent|
|Generating OpenPGP Keys||generate||Keys > Create New Key-pair OR New Key|
|Add a UserID to a Key||edit||Keys > Add New UserID OR Add User|
|Signing OpenPGP Keys||sign||Keys > Sign OR Sign|
Keys > Export OR Export
|Importing Keys||copy||Keys > Import OR Import|
|Remove a Key from a Keyring||delete||Keys > Remove OR Remove|