Configuring Tasks - Keys and Certs

Configuring Tasks - Keys and Certs - Managing PGP Keys

MOVEit Central allows operators to create, delete, import and export locally stored PGP keys through MOVEit Central Admin. There is no need to "shell out", issue command-line arguments or use a third-party PGP key management utility. Behind the scenes, MOVEit Central stores PGP keys in files called "keyrings", but the interface MOVEit Central Admin uses to manage PGP keys is intentionally similar to the interface used to manage SSH keys and SSL certificates.

There are two types of PGP keys:

PGP Public Keys

Public keys are non-secret keys that are often widely distributed to other users. To encrypt a file to send to someone, you must have a copy of their public key. If you sign the file, the recipient must have a copy of your public key in order to check the signature.

Typically you will "import" the public keys of several other users into your keyring, and "export" your own public key to send to other users. There is usually little security risk associated with distributing your public key. (In fact, some people attach their PGP public key to every email message they send!)

Operators may perform both import and export operations through MOVEit Central Admin, of course. In MOVEit Central Admin, public PGP keys (for which you lack a private key) are displayed as "Other Keys" because other people have the private keys associated with the "Other Keys".

PGP Private/Public Keypairs

Private/public keypairs (also known as secret keys or just private keys) are secret keys that are generated by you and that contain information that must not be given to other users. A secret key also contains a copy of an associated public key. Though you will rarely export your entire private/public keypairs (except possibly for backup purposes), you will need to export the public component of your private/public keypair in order to allow others to encrypt files to be sent to you.

Although not strictly necessary, private/public keypairs are generally encrypted with a password, so that if the private/public keypair file falls into the wrong hands, it cannot be used.

Although it is possible to have multiple private/public keypairs--just as it is possible to have multiple email addresses--to prevent confusion, it is recommended that you minimize the number of different secret keys.

In MOVEit Central Admin, private/public keypairs are displayed as "My Keys" because you have the private keys.

Managing Keys

PGP keys are managed through the "Manage PGP Keys" dialog, which is accessed via Admin's Options | Cert/Key Managers | PGP Keys menu entry. This dialog shows all PGP keys. MOVEit Central Admin identifies secret keys as "My Keys" and public keys as "Other Keys". Select a key to see that key's details, such as expiration date and fingerprint.

Creating a Private/Public keypair

To get started with PGP, you must have at least one private/public keypair in your "My Keys" collection. If you have already have a private/public keypair in some other PGP software, you can export it from that software and import it into MOVEit Central. Otherwise, you should generate a key. Use the Create button to create a new key:

In the Create Key dialog, you will be prompted for these items:

Key Length - the length of the key in bits. The longer the key, the more secure it is, but the more processing time is required for cryptographic operations. 1024 bits is probably enough, but many experts prefer 2048 bits to play it safe. 4096 bits is quite long; generating a key of this length may take over 10 minutes.
Key Format - Both RSA and DSS/DH (Digital Signature Standard / Diffie-Hellman) are widely supported. "RSA Legacy" may be necessary if you are exchanging encrypted files with someone who is using a very old version of PGP.
Signing Alg - The hash algorithm used for signing the key. The default for DSS keys is SHA1, because some older PGP applications do not support algorithms other than SHA1 for DSS keys. The default for RSA keys is the more secure SHA256, but you may need to choose SHA1 for backwards compatibility with older applications. For the best security, you may wish to choose SHA512. You may not configure the hash algorithm used to sign RSA legacy keys.
Expiration - Shorter expiration times are more secure, because they reduce the amount of damage that could be done if an opponent somehow gains access to your key. However, shorter expiration times are less convenient, because when the key approaches its expiration date, you must generate a new one and send its public component to your correspondents.
Key Name - This is an arbitrary name associated with the key. It is similar to the Common Name on an SSL certificate.
Email Address - If provided, this is incorporated into the name of the key. Despite its name, this field is usually not used to address PGP-encrypted email, but instead serves as a point of contact for technical issues involving that PGP key.
Passphrase - The passphrase used to encrypt the secret key. MOVEit Central will record this passphrase in its encrypted settings file, so you do not have to reenter it when signing or decrypting files. This passphrase will also be displayed each time a private/public keypair is exported.

Exporting keys from other applications

If you have been using another PGP application, you have already established a keyring. You will probably want to transfer some or all of the keys in this keyring to MOVEit Central, so you can continue to use the same keys without additional coordination with your correspondents.

Before you can import these keys into MOVEit Central, you must export them from the other PGP application. This section describes how to export keys from two popular PGP applications. Note: the act of exporting keys does not remove them from the original application, so you can continue to use the keys with the old application if you like.

Exporting from GNU Privacy Guard

To export a single public key from GnuPG, use a command line like:

gpg -a --export "Fred Smith" >fredsmith-public-key.asc

To export all public keys from GnuPG, use a command line like:

gpg -a --export >all-public-keys.asc

To export a single private key from GnuPG, use a command line like:

gpg -a --export-secret-keys "Fred Smith" >fredsmith-private-key.asc

To export all private keys from GnuPG, use a command line like:

gpg -a --export-secret-keys >all-private-keys.asc

Note: unlike some other applications, GnuPG does not export the public key when it exports the private key. To export both the private key and the public key for a user, use a sequence like:

gpg -a --export "Fred Smith" >fredsmith-both.asc
gpg -a --export-secret-keys "Fred Smith" >>fredsmith-both.asc

Exporting from PGP Corporation's PGP Command Line

To export a single public key from PGP, use a command line like:

pgp --export "Mary Jones" --output maryjones-public-key.asc

To export a single public/private keypair from PGP, use a command line like:

pgp --export-key-pair "Mary Jones" --output maryjones-both.asc

There does not appear to be a single PGP Command Line command which will export all keys.

Importing keys into MOVEit Central

Once you have exported one or more keys from another PGP application, you can use MOVEit Central Admin to import the key(s) into MOVEit Central. To import a PGP key, use the "Import" button in the Manage PGP Keys dialog. Select the file to which the other application exported the key(s). The same procedure is used to import secret keys and public keys; MOVEit Central will figure out which type a given key is. If you are importing a public key--which is the typical case--then do not enter a passphrase when prompted. You will typically import secret keys only if you are converting from another PGP application and have already established keys with that application. Once the key file has been successfully imported, a popup message will detail which keys were imported from the file.

Exporting keys from MOVEit Central

To export a key, select it in the Manage PGP Keys dialog and choose the Export button. You will see these options:

Export Private Key - If the key in question is a secret key (keypair), you have the option of exporting the secret component as well as the public component. You should choose this option only if you are saving the key for your own purposes; do not give the secret key to others. If you do choose to export a private key, MOVEit Central Admin will remind you of the passphrase. You will need this passphrase to use the key for signing or decryption purposes on the system to which the private key is being exported.
Export to File - Specifies the filename on the MOVEit Central Admin computer to which the exported key should be written. The file will be "ASCII Armored"--in other words, it will be a text file.
Also email copy to - If you have at least one SMTP host defined, you may have MOVEit Central email the key as an attachment. Enter the recipient's email address. For security reasons, this option is available only for public keys.
using SMTP Host - Choose one of the SMTP hosts that you have configured in the Hosts tab. This determines both the email server used, and the "From:" address in the message.

Editing keys to select symmetric algorithm

When encrypting, MOVEit Central uses the symmetric encryption algorithm associated with public key of the first recipient. (Prior to version 3.4, the algorithm was specified as part of the Process task element; during an upgrade to MOVEit Central 3.4, these preferences are copied to the recipient key settings.) The "Edit" button allows you to choose which algorithm should be used for this public key.

The choices are:

Default - Use the default preferred algorithm specified in the PGP public key itself. All of the other choices cause MOVEit Central to explicitly override this algorithm.
3DES - Triple DES: three rounds of the well-known 56-bit 1977-vintage DES algorithm.
AES128 - 128-bit AES. AES is the Advanced Encryption Standard approved by the US National Institute of Standards and Technology in 2001.
AES192 - 192-bit AES.
AES256 - 256-bit AES.
CAST5 - 128-bit CAST5, an algorithm rarely used outside the context of PGP.
IDEA - 128-bit IDEA, an algorithm rarely used outside the context of PGP because it is proprietary.
TWOFISH - a free 1999-vintage algorithm similar in security to AES, and designed by a team of well-known cryptographers, including Bruce Schneier.

All of these algorithms are considered secure, though AES256 and TWOFISH may have an edge over the others. Your choice will probably be made on the basis of compatibility with the recipient's software. "Default" is probably the safest choice.

Deleting keys

To remove a key from your keyring, select it in the list of keys and choose the Delete button. Be cautious about deleting keys from "My Keys". If you do not have a backup copy of the key, you will not be able to decrypt messages encrypted by the sender with the public component of that key.