Encryption is the heart of PK Protect. Encrypting a file encodes its contents so that the file cannot be read until it is decrypted. Decrypting removes the encryption and restores the file to its original form.
Encryption provides confidentiality for data. Unencrypted data is called plaintext. Encryption transforms the plaintext data into an unreadable form, called ciphertext, using an encryption key. Decryption transforms the ciphertext back into plaintext using a decryption key.
You can encrypt files either when you add them to a ZIP archive or after they are in a ZIP archive.
Encrypting with PK Protect
Generally speaking, the easier an encryption standard is to use, the less secure it is. With PK Protect you have a choice in what standard to use. Traditional ZIP encryption with relatively simple passphrases is almost certainly good enough to preserve the secret family cookie recipe from the neighbors, but the initial business plan for your unique new product needs to get to your patent attorney with strong encryption. Strong encryption is much more secure. Traditional encryption support is mainly intended for legacy content.
The PEM Agent uses these methods to encrypt files:
- Strong, passphrase-based encryption
You can use a passphrase or a key from one or more digital certificates (or both passphrase and certificate) to encrypt files. A passphrase uses letters, numbers, spaces and other non-alphanumeric symbols to allow your recipient to open your encrypted file or message.
- Strong, certificate-based encryption
If you use a passphrase to encrypt, anyone who has the passphrase can decrypt. If you use a key from a digital certificate, only the owner of the certificate can decrypt. If someone sends you an archive containing files encrypted with your digital certificate, the PEM Agent attempts to decrypt the files automatically when you (and only you) extract them.
- Encryption based on the OpenPGP standard, RFC 4880. You can also create OpenPGP files encrypted using passphrases, public/private key pairs, or both.
- Encryption with Smartkeys: Smartkeys replace both passphrase- and certificate-based encryption, and makes the PEM Agent unique. A Smartkey is a collection of encryption keys tied to an access control list (ACL). The ACL defines who can decrypt the data contained in an archive. PK Protect administrators can also create community keys, defining groups of users to encrypt to.
The PEM Agent does not extract files that cannot be decrypted. Someone who wants to extract encrypted files must either be able to supply a correct passphrase or else own a digital certificate used to encrypt the files.
Encrypting with OpenPGP
Some organizations use encryption tools based on the OpenPGP standard, rather than the International Telecommunications Union X.509 standard. OpenPGP uses the same basic Public Key Infrastructure principles for exchanging encrypted files, but uses a decentralized “Web of Trust” method of authenticating signatures.
The PEM Agent extracts and decrypts files that comply with the OpenPGP standard, RFC 4880. It can also create OpenPGP files encrypted using passphrases, public/private key pairs, or both; it will apply digital signatures with OpenPGP public/private key pairs too. In this section, you’ll learn more about the OpenPGP standard, and how to use the PEM Agent with OpenPGP.
Overview: OpenPGP vs. X.509
The X.509 standard relies on a hierarchical “trust chain” model, where an individual digital signature is issued by an intermediate Certificate Authority (CA), which is assumed to have received enough documentation to determine that an individual is who he says he is. The intermediate CA’s certificate gets its certificate, in turn, from a Root CA. Each certificate says who issued it, and theoretically if you question the authenticity of a certificate, you can find the documentation presented to the original CA.
OpenPGP certificates are typically created by individuals, and authenticated by other individuals. In the real world, you have friends who can vouch that you are who you say you are. If you walk into a room full of strangers, your friend can introduce you to the people he knows. Since you trust that your friend is correctly identifying his friends and acquaintances, that trust extends to his friends too.
When you translate the above experience to the electronic, OpenPGP world, it works this way: You create an OpenPGP certificate to identify yourself. When a friend comes to visit, display the certificate. The friend can now sign your certificate (often called “key signing”) and certify that this certificate represents you. Now everyone who trusts the person who signed your key can also trust that your certificate is authentic. A Web of Trust is developed as more people authenticate each certificate. Everyone in the Web of Trust can also exchange messages in the OpenPGP format.
Applying OpenPGP to Archives
To apply OpenPGP encryption or a digital signature to an archive, make sure that OpenPGP is enabled in the Security General Options, and that the OpenPGP Options are set appropriately to the task you are performing (including creating a new archive, adding files to an archive, refreshing or updating an archive).
Add files to a new archive as you would normally, then use the Save As dialog to save the archive with the OpenPGP file type. When you apply OpenPGP to a new archive, you actually create a TAR archive, which can be signed, encrypted, compressed (or any combination of those actions) in the same dialog. The PEM Agent uses only algorithms supported by the OpenPGP standard on OpenPGP files. These algorithms are listed in the next section.