Note: Some options described here may be disabled by PK Protect Policy. Contact your PEM Administrator for more information.
If you use encryption, PK Protect opens a dialog to get a passphrase, Smartkey, and/or recipient list from you when you add files. Whether the dialog asks for a passphrase, Smartkey, a recipient list or some combination depends on your settings on the ZIP page or the OpenPGP page of Security options.
If you encrypt using only a passphrase, only people who have the passphrase can decrypt.
If you encrypt using only a recipient list or Smartkey, only recipients can decrypt, using the private keys from the certificates whose public keys you used to encrypt.
If you encrypt using both a passphrase and a recipient list, anyone who has the passphrase or is on the recipient list can decrypt the files.
Two-Part Dialog for Strong Encryption
The encryption dialog has two parts:
A top part with fields in which to enter and confirm a passphrase.
A bottom part with controls for selecting a Smartkey, or other certificates for the people you want in the recipient list.
Note: In an archive that contains encrypted file names, any added files are given the same encryption as files in the archive already.
Specify a Passphrase to Encrypt
When you use a passphrase to encrypt, anyone who has the passphrase can decrypt the files.
To specify a passphrase:
- Enter the passphrase in the Passphrase field.
- Enter the same passphrase again in the Confirm passphrase field to confirm that you typed what you thought you did.
- Click OK to encrypt the selected file(s).
Any passphrase must meet the requirements specified by your PEM administrator. When a passphrase meets the requirements, a green check mark displays, and unskipped files are encrypted.
Until a passphrase meets requirements, a red X displays. If you click OK before the requirements are met, a dialog appears containing a list of the requirements the passphrase failed to meet. Refer to the list and specify a different passphrase.
Encrypt with Keys
When you use keys (Smartkeys, X.509 certificates, or OpenPGP) to encrypt, PK Protect decrypts the files automatically when unzipping them for someone on the list. Recipients on the list do not need to supply a passphrase. You need access to a digital certificate for each recipient to encrypt for a recipient list.
Create a recipient list by picking certificates for recipients from the Encrypt with a Key list.
This list shows all the keys you have available for people on your system. You can have multiple keys for the same person.
The list states when each certificate expires and the certificate authority that issued the certificate. The URN/Key Usage column indicates any specified purpose for which a certificate was issued, such as digital signing or encrypting (Smartkeys are just for encryption). Keys issued with no such special designation show a value of (0000).
Note: You can use a certificate for both signing and encrypting even if its key usage designates it for a special purpose. However, some organizations may require certificates to have a key usage designation and to be used in accordance with it.
To exclude from the recipients list all certificates whose key usage does not specifically designate them for encryption, turn on strict checking on the Personal encryption certificates dialog on the ZIP page of Security options.
You can access additional certificates if any certificate stores are available, use Lookup to search for additional certificates in stores. PK Protect comes with one public LDAP directory already set up—for Verisign's directory (it is not activated by default). You can also set up other, private directories that may be accessible to you.
Personal Certificates and Other Local Certificates
The certificates that belong to you personally are listed as Personal Certificates. These certificates each contain a private key that enables you to decrypt files as well as a public key that enables you to encrypt them.
Certificates on your system that contain only a public key are listed as Other Local Certificates. Certificates that you received from other people and then imported into the certificate store are listed here.
Valid and Invalid Certificates
Valid X.509 certificates on your system appear with a green check. Invalid certificates appear with a red X. You can use invalid certificates, but the fact that they are invalid indicates that there is a problem with them. For example, they may be expired or revoked or not be issued by a trusted authority.
Invalid certificates are not listed if you select the Strict checking check box on the Encryption page of Security options.
See What is a Smartkey? for background on PK Protect's unique encryption tool.
Two buttons on this dialog box allow you to view properties of a selected Smartkey or create a New Smartkey. PEM administrators may also make community keys available to you, that include Active Directory groups.
To pick recipients for the recipient list:
Check the boxes for those keys and certificates you want to be able to decrypt and open the encrypted data.
Note: Be sure to select one of your own Personal Certificates to add yourself as a recipient so that you can decrypt the files without entering a passphrase.
You can view a certificate to learn more about it. Viewing a certificate can tell you more about the person it belongs to. It can also provide information about the certificate itself.
To view a certificate, highlight the name to the right of its check box (for example, by clicking on it) and choose the View Certificate button. The button opens the Certificate Properties dialog.
The dialog may display a count of the number of contingency keys that will be applied when you encrypt, and entries for these certificates may appear in the Certificates list.
Contingency keys are a way for an organization to ensure that it can always decrypt any files PK Protect is used to encrypt. Whether contingency keys are used, and whether their use is advertised, depend on settings made by an administrator in a policy.
Skip Encrypting Files
You can skip encrypting the selected files and add them without encryption by clicking Skip. The files are added to the archive without being encrypted.