Creating Key Pairs for OpenPGP

You can create new key pairs for OpenPGP encryption using the OpenPGP Key Generation Wizard. The key pair file is saved in SiteConfig<GUID>.db. Note that the \PGP\ folder does not exist until you create or import a key pair.  

EFT can create the following types of keys for OpenPGP:

RSA: If you select RSA, the library generates the new standard RSA key pair format by default--keys that are compatible with newer OpenPGP clients. The new RSA key format supports features previously available only to DSS/DH keys. The new RSA key format enables you to have a primary key for signing and a subkey to encrypt data. In addition, the encryption key (the subkey) can be revoked or have a different expiration date as its primary key. A new subkey can always be added to a primary key and be used for encrypting data. New RSA keys are compatible with newer versions of OpenPGP. The library generates the new and improved RSA key format by default. These keys are not compatible with older OpenPGP clients that are not compliant with RFC 2440 such as OpenPGP 2.6.x.

RSA Legacy: In EFT, the OpenPGP library gives you the option to generate RSA Legacy keys that are compatible with older versions of OpenPGP. Old OpenPGP clients are compliant with RFC 1991 only, not RFC 2440.

  • For information about Diffie-Hellman key exchange, refer to http://en.wikipedia.org/wiki/Diffie-Hellman.

  • For information about RSA, refer to http://en.wikipedia.org/wiki/RSA.

  • If you have made any configuration changes, click Apply and/or Refresh before creating the key pair; otherwise, key creation will fail.

  • If you attempt remote management of keys, you may encounter unexpected behavior.

To access the Key Ring Manager and use the OpenPGP Key Generation Wizard

  1. In the administration interface, connect to EFT and click the Server tab.

  2. Click the Site you want to configure.

  3. In the right pane, click the Security tab.

  4. In the Data Security area at the bottom of the tab, next to OpenPGP security, click Configure. The OpenPGP Security dialog box appears.

  5. Click Create. The OpenPGP Key Generation Wizard appears. (Or you can click Tools > Create OpenPGP Key.)

  6. Read the instructions on the welcome page, and then click Next. The Parameters page appears.

  7. In the Full name box, provide your name or another contact's name.

  8. In the email address box, provide an email address.

  9. In the Key cipher box, click the list to specify a cipher to use: IDEA, 3-DES (the default), CAST5, AES128, AES192, AES256, or TWOFISH.

  10. In the Key type box, click Diffie-Hellman/DSS, RSA, or RSA legacy.

  11. Specify the Key length (1024, 2048, 3072, or 4096). Larger bit sizes increase security, but increase encryption time.

  12. Specify the Key expiration date, or never.

  13. Click Next. The passphrase page appears.

  14. Type your passphrase in the Passphrase and Confirmation boxes. The passphrase is case sensitive and must contain a minimum of 8 characters. For better security, the passphrase should contain a mix of alphanumeric (both upper and lower case) and non-alphanumeric characters. Select the Hide typing check box to display asterisks instead of the passphrase.

  15. Click Next. The Site page appears.

  16. Click Finish to generate the key pair. A message appears informing you that it might take several minutes to generate the key pair.

  17. Click Yes to create the key. If you click No, the key is not created.

  18. After the key is created and added to the Site keyring, click OK to close the notification dialog box.

  19. To specify a logging Level and the Log file path, select the Enable logging check box.

  20. To specify a dynamic log file name, select the Enable dynamic log file name check box, and specify an extension in the Log file path. The date and time will be added to the file name (e.g., PGPlog20190415.txt).

  21. Click OK to save your changes and close the OpenPGP Security dialog box.

  22. Click Apply to save the changes on EFT.