PGP® Desktop for Mac OS X
User's Guide
Version Information
PGP Desktop for Macintosh OS X User's Guide. PGP Desktop Version 10.1.2. Released March 2011.
Copyright Information
Copyright © 2011 by PGP Corporation. All Rights Reserved. No part of this document can be reproduced or transmitted in any form or by any
means, electronic or mechanical, for any purpose, without the express written permission of PGP Corporation.
Trademark Information
PGP, Pretty Good Privacy, and the PGP logo are registered trademarks of PGP Corporation in the US and other countries. IDEA is a trademark of
Ascom Tech AG. Windows and ActiveX are registered trademarks of Microsoft Corporation. AOL is a registered trademark, and AOL Instant
Messenger is a trademark, of America Online, Inc. Red Hat and Red Hat Linux are trademarks or registered trademarks of Red Hat, Inc. Linux is a
registered trademark of Linus Torvalds. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. AIX is a trademark or registered
trademark of International Business Machines Corporation. HP-UX is a trademark or registered trademark of Hewlett-Packard Company. SSH and
Secure Shell are trademarks of SSH Communications Security, Inc. Rendezvous and Mac OS X are trademarks or registered trademarks of Apple
Computer, Inc. All other registered and unregistered trademarks in this document are the sole property of their respective owners.
Licensing and Patent Information
The IDEA cryptographic cipher described in U.S. patent number 5,214,703 is licensed from Ascom Tech AG. The CAST-128 encryption algorithm,
implemented from RFC 2144, is available worldwide on a royalty-free basis for commercial and non-commercial uses. PGP Corporation has secured a
license to the patent rights contained in the patent application Serial Number 10/655,563 by The Regents of the University of California, entitled Block
Cipher Mode of Operation for Constructing a Wide-blocksize block Cipher from a Conventional Block Cipher. Some third-party software included in PGP
Universal Server is licensed under the GNU General Public License (GPL). PGP Universal Server as a whole is not licensed under the GPL. If you would
like a copy of the source code for the GPL software included in PGP Universal Server, contact PGP Support (https://support.pgp.com). PGP Corporation
may have patents and/or pending patent applications covering subject matter in this software or its documentation; the furnishing of this software or
documentation does not give you any license to these patents.
Acknowledgments
This product includes or may include:
-- The Zip and ZLib compression code, created by Mark Adler and Jean-Loup Gailly, is used with permission from the free Info-ZIP implementation,
developed by zlib (http://www.zlib.net). -- Libxml2, the XML C parser and toolkit developed for the Gnome project and distributed and copyrighted
under the MIT License found at http://www.opensource.org/licenses/mit-license.html. Copyright © 2007 by the Open Source Initiative. -- bzip2 1.0, a
freely available high-quality data compressor, is copyrighted by Julian Seward, © 1996-2005. -- Application server (http://jakarta.apache.org/), web
server (http://www.apache.org/), Jakarta Commons (http://jakarta.apache.org/commons/license.html) and log4j, a Java-based library used to parse
HTML, developed by the Apache Software Foundation. The license is at www.apache.org/licenses/LICENSE-2.0.txt. -- Castor, an open-source,
data-binding framework for moving data from XML to Java programming language objects and from Java to databases, is released by the ExoLab
Group under an Apache 2.0-style license, available at http://www.castor.org/license.html. -- Xalan, an open-source software library from the Apache
Software Foundation that implements the XSLT XML transformation language and the XPath XML query language, is released under the Apache
Software License, version 1.1, available at http://xml.apache.org/xalan-j/#license1.1. -- Apache Axis is an implementation of the SOAP ("Simple Object
Access Protocol") used for communications between various PGP products is provided under the Apache license found at
http://www.apache.org/licenses/LICENSE-2.0.txt. -- mx4j, an open-source implementation of the Java Management Extensions (JMX), is released
under an Apache-style license, available at http://mx4j.sourceforge.net/docs/ch01s06.html. -- jpeglib version 6a is based in part on the work of the
Independent JPEG Group. (http://www.ijg.org/) -- libxslt the XSLT C library developed for the GNOME project and used for XML transformations is
distributed under the MIT License http://www.opensource.org/licenses/mit-license.html. -- PCRE Perl regular expression compiler, copyrighted and
distributed by University of Cambridge. ©1997-2006. The license agreement is at http://www.pcre.org/license.txt. -- BIND Balanced Binary Tree Library
and Domain Name System (DNS) protocols developed and copyrighted by Internet Systems Consortium, Inc. (http://www.isc.org) -- Free BSD
implementation of daemon developed by The FreeBSD Project, © 1994-2006. -- Simple Network Management Protocol Library developed and
copyrighted by Carnegie Mellon University © 1989, 1991, 1992, Networks Associates Technology, Inc, © 2001- 2003, Cambridge Broadband Ltd. ©
2001- 2003, Sun Microsystems, Inc., © 2003, Sparta, Inc, © 2003-2006, Cisco, Inc and Information Network Center of Beijing University of Posts and
Telecommunications, © 2004. The license agreement for these is at http://net-snmp.sourceforge.net/about/license.html. -- NTP version 4.2 developed
by Network Time Protocol and copyrighted to various contributors. -- Lightweight Directory Access Protocol developed and copyrighted by OpenLDAP
Foundation. OpenLDAP is an open-source implementation of the Lightweight Directory Access Protocol (LDAP). Copyright © 1999-2003, The
OpenLDAP Foundation. The license agreement is at http://www.openldap.org/software/release/license.html. Secure shell OpenSSH developed by
OpenBSD project is released by the OpenBSD Project under a BSD-style license, available at
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/LICENCE?rev=HEAD. -- PC/SC Lite is a free implementation of PC/SC, a specification for
SmartCard integration is released under the BSD license. -- Postfix, an open source mail transfer agent (MTA), is released under the IBM Public License
1.0, available at http://www.opensource.org/licenses/ibmpl.php. -- PostgreSQL, a free software object-relational database management system, is
released under a BSD-style license, available at http://www.postgresql.org/about/licence. -- PostgreSQL JDBC driver, a free Java program used to
connect to a PostgreSQL database using standard, database independent Java code, (c) 1997-2005, PostgreSQL Global Development Group, is
released under a BSD-style license, available at http://jdbc.postgresql.org/license.html. -- PostgreSQL Regular Expression Library, a free software
object-relational database management system, is released under a BSD-style license, available at http://www.postgresql.org/about/licence. --
21.vixie-cron is the Vixie version of cron, a standard UNIX daemon that runs specified programs at scheduled times. Copyright © 1993, 1994 by Paul
Vixie; used by permission. -- JacORB, a Java object used to facilitate communication between processes written in Java and the data layer, is open
source licensed under the GNU Library General Public License (LGPL) available at http://www.jacorb.org/lgpl.html. Copyright © 2006 The JacORB
Project. -- TAO (The ACE ORB) is an open-source implementation of a CORBA Object Request Broker (ORB), and is used for communication between
processes written in C/C++ and the data layer. Copyright (c) 1993-2006 by Douglas C. Schmidt and his research group at Washington University,
University of California, Irvine, and Vanderbilt University. The open source software license is available at
http://www.cs.wustl.edu/~schmidt/ACE-copying.html. -- libcURL, a library for downloading files via common network services, is open source software
provided under a MIT/X derivate license available at http://curl.haxx.se/docs/copyright.html. Copyright (c) 1996 - 2007, Daniel Stenberg. -- libuuid, a
library used to generate unique identifiers, is released under a BSD-style license, available at
http://thunk.org/hg/e2fsprogs/?file/fe55db3e508c/lib/uuid/COPYING. Copyright (C) 1996, 1997 Theodore Ts'o. -- libpopt, a library that parses command
line options, is released under the terms of the GNU Free Documentation License available at http://directory.fsf.org/libs/COPYING.DOC. Copyright ©
2000-2003 Free Software Foundation, Inc. -- gSOAP, a development tool for Windows clients to communicate with the Intel Corporation AMT chipset
on a motherboard, is distributed under the gSOAP Public License version 1.3b, available at http://www.cs.fsu.edu/~engelen/license.html. -- Windows
Template Library (WTL) is used for developing user interface components and is distributed under the Common Public License v1.0 found at
http://opensource.org/licenses/cpl1.0.php. -- The Perl Kit provides several independent utilities used to automate a variety of maintenance functions
and is provided under the Perl Artistic License, found at http://www.perl.com/pub/a/language/misc/Artistic.html. -- rEFIt - libeg, provides a graphical
interface library for EFI, including image rendering, text rendering, and alpha blending, and is distributed under the license found at
http://refit.svn.sourceforge.net/viewvc/*checkout*/refit/trunk/refit/LICENSE.txt?revision=288. Copyright (c) 2006 Christoph Pfisterer. All rights
reserved. -- Java Radius Client, used to authenticate PGP Universal Web Messenger users via Radius, is distributed under the Lesser General Public
License (LGPL) found at http://www.gnu.org/licenses/lgpl.html. -- Yahoo! User Interface (YUI) library version 2.5.2, a Web UI interface library for AJAX.
Copyright (c) 2009, Yahoo! Inc. All rights reserved. Released under a BSD-style license, available at http://developer.yahoo.com/yui/license.html. --
JSON-lib version 2.2.1, a Java library used to convert Java objects to JSON (JavaScript Object Notation) objects for AJAX. Distributed under the
Apache 2.0 license, available at http://json-lib.sourceforge.net/license.html. -- EZMorph, used by JSON-lib, is distributed under the Apache 2.0 license,
available at http://ezmorph.sourceforge.net/license.html. -- Apache Commons Lang, used by JSON-lib, is distributed under the Apache 2.0 license,
available at http://commons.apache.org/license.html. -- Apache Commons BeanUtils, used by JSON-lib, is distributed under the Apache 2.0 license,
available at http://commons.apache.org/license.html. -- SimpleIni is an .ini format file parser and provides the ability to read and write .ini files, a
common configuration file format used on Windows, on other platforms. Distributed under the MIT License found at
http://www.opensource.org/licenses/mit-license.html. Copyright 2006-2008, Brodie Thiesfield. -- uSTL provides a small fast implementation of common
Standard Template Library functions and data structures and is distributed under the MIT License found at
http://www.opensource.org/licenses/mit-license.html. Copyright (c) 2005-2009 by Mike Sharov <msharov@users.sourceforge.net>. -- Protocol Buffers
(protobuf), Google's data interchange format, are used to serialize structure data in the PGP SDK. Distributed under the BSD license found at
http://www.opensource.org/licenses/bsd-license.php. Copyright 2008 Google Inc. All rights reserved.
Additional acknowledgements and legal notices are included as part of the PGP Universal Server.
Export Information
Export of this software and documentation may be subject to compliance with the rules and regulations promulgated from time to time by the Bureau
of Export Administration, United States Department of Commerce, which restricts the export and re-export of certain products and technical data.
Limitations
The software provided with this documentation is licensed to you for your individual use under the terms of the End User License Agreement provided
with the software. The information in this document is subject to change without notice. PGP Corporation does not warrant that the information meets
your requirements or that the information is free of errors. The information may include technical inaccuracies or typographical errors. Changes may be
made to the information and incorporated in new editions of this document, if and when made available by PGP Corporation.
Unsupported Third Party Products
By utilizing third party products, software, drivers, or other components ("Unsupported Third Party Product") to interact with the PGP software and/or by
utilizing any associated PGP command or code provided by to you by PGP at its sole discretion to interact with the Unsupported Third Party Product
("PGP Third Party Commands"), you acknowledge that the PGP software has not been designed for or formally tested with the Unsupported Third Party
Product, and therefore PGP provides no support or warranties with respect to the PGP Third Party Commands or the PGP software's compatibility with
Unsupported Third Party Products. THE PGP THIRD PARTY COMMANDS ARE PROVIDED "AS IS," WITH ALL FAULTS, AND THE ENTIRE RISK AS TO
SATISFACTORY QUALITY, PERFORMANCE, ACCURACY, AND EFFORT IS WITH YOU. TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE
LAW, PGP DISCLAIMS ALL REPRESENTATIONS, WARRANTIES, AND CONDITIONS, WHETHER EXPRESS OR IMPLIED, INCLUDING ANY
WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, NONINFRINGEMENT, QUIET
ENJOYMENT, AND ACCURACY WITH RESPECT TO THE PGP THIRD PARTY COMMANDS OR THE PGP SOFTWARE'S COMPATIBILITY WITH THE
UNSUPPORTED THIRD PARTY PRODUCT.
4
Contents
About PGP Desktop 10.1 for Mac OS X
What's New in PGP Desktop for Mac OS X Version 10.1 1
Using this Guide 3
“Managed” versus “Unmanaged” Users 3
Conventions Used in This Guide 4
Who Should Read This Document 4
About PGP Desktop Licensing 4
About PGP Desktop Licensing 5
Checking License Details 5
If Your License Has Expired 7
Getting Assistance 7
Getting product information 8
Contact Information 8
1
PGP Desktop Basics 9
PGP Desktop Terminology 9
PGP Product Components 9
Terms Used in PGP Desktop 10
Conventional and Public Key Cryptography 12
Using PGP Desktop for the First Time 13
Installing PGP Desktop 17
System Requirements 17
Installing and Configuring PGP Desktop 17
Installing the Software 17
Using PGP Desktop with Apple Boot Camp 18
Upgrading the Software 19
Licensing PGP Desktop 21
Running the Setup Assistant 21
Integrating with Entourage 2008 22
Uninstalling PGP Desktop 22
Moving Your PGP Desktop Installation from One Computer to Another 23
The PGP Desktop User Interface 25
Accessing PGP Desktop Features 25
PGP Desktop Main Screen 26
Using the PGP Desktop Icon in the Menu Bar 27
Using the PGP Dock Icon 28
Using the Mac OS X Finder 29
PGP Desktop Notifier alerts 30
i
PGP® Desktop for Mac OS X Contents
PGP Desktop Notifier for Messaging 30
PGP Desktop and the Finder 35
Overview 35
Encrypt, Sign, or Encrypt and Sign 36
Shred 37
Decrypt/Verify 38
Mount or Unmount a PGP Virtual Disk Volume 39
Import a PGP Key 39
Add PGP Public Keys to Your Keyring 40
Extract the Contents of a PGP Zip Archive 40
Viewing the PGP Log 41
Working with PGP Keys 43
Viewing Keys 44
Creating a Smart Keyring 45
Creating a Keypair 46
Expert Mode Key Settings 48
Protecting Your Private Key 49
Protecting Keys and Keyrings 49
Backing up Your Private Key 50
What if You Lose Your Key? 51
Distributing Your Public Key 51
Placing Your Public Key on a Keyserver 52
Including Your Public Key in an Email Message 53
Exporting Your Public Key to a File 53
Getting the Public Keys of Others 54
Getting Public Keys from a Keyserver 54
Getting Public Keys from Email Messages 55
Working with Keyservers 56
Using Master Keys 57
Adding Keys to the Master Key List 57
Deleting Keys from the Master Key List 58
Managing PGP Keys 59
Examining and Setting Key Properties 59
Adding and Removing Photographs 60
Managing User Names and Email Addresses on a Key 61
Importing Keys and X.509 Certificates 62
Importing X.509 Certificates Included in S/MIME Email Messages 63
Changing Your Passphrase 63
Deleting Keys, User IDs, and Signatures 64
Disabling and Enabling Public Keys 65
Verifying a Public Key 65
Signing a Public Key 66
Revoking Your Signature from a Public Key 68
Granting Trust for Key Validations 68
To grant trust to a key 69
Working with Subkeys 69
ii
PGP® Desktop for Mac OS X Contents
Using Separate Subkeys 71
Viewing Subkeys 71
Creating New Subkeys 72
Specifying Key Usage for Subkeys 72
Revoking Subkeys 73
Removing Subkeys 73
Working with ADKs 74
Adding an ADK to a Keypair 74
Updating an ADK 75
Removing an ADK 75
Working with Revokers 75
Appointing a Designated Revoker 76
Revoking a Key 76
Splitting and Rejoining Keys 77
Creating a Split Key 77
Rejoining Split Keys 78
If You Lost Your Key or Passphrase 80
Reconstructing Keys with PGP Universal Server 80
Creating Key Reconstruction Data 80
Reconstructing Your Key if You Lost Your Key or Passphrase 82
Protecting Your Keys 83
Securing Email Messages 85
How PGP Desktop Secures Email Messages 85
Incoming Messages 86
Understanding Annotations on Incoming Messages 87
Outgoing Messages 88
Securing Sent Items on IMAP Email Servers 88
Using Offline Policy 89
Services and Policies 90
Viewing Services and Policies 91
Creating a New Messaging Service 92
Editing Message Service Properties 94
Disabling or Enabling a Service 95
Deleting a Service 95
Multiple Services 96
Troubleshooting PGP Messaging Services 96
Creating a New Security Policy 98
Regular Expressions in Policies 103
Security Policy Information and Examples 105
Working with the Security Policy List 108
Editing a Security Policy 108
Editing a Mailing List Policy 108
Deleting a Security Policy 113
Changing the Order of Policies in the List 113
PGP Desktop and SSL 113
Key Modes 115
Determining Key Mode 116
Changing Key Mode 117
iii
PGP® Desktop for Mac OS X Contents
Viewing the PGP Log 118
Using PGP Scripts with Entourage 2008 119
Securing Instant Messaging 121
About PGP Desktop’s Instant Messaging Compatibility 121
Instant Messaging Client Compatibility 122
About the Keys Used for Encryption 123
Encrypting your IM Sessions 123
Viewing Email with PGP Viewer 125
Overview of PGP Viewer 125
Supported Email Clients 126
Opening an Encrypted Email Message or File 126
Copying Email Messages to Your Inbox 127
Exporting Email Messages 128
PGP Viewer Preferences 128
Security Features in PGP Viewer 129
Protecting Disks with PGP Whole Disk Encryption 131
About PGP Whole Disk Encryption 132
Encrypting Boot Disks 133
How does PGP WDE Differ from PGP Virtual Disk? 134
Licensing PGP Whole Disk Encryption 134
License Expiration 135
Prepare Your Disk for Encryption 135
Supported Disk Types 136
Supported Keyboards 136
Ensure Disk Health Before Encryption 137
Calculate the Encryption Duration 138
Run a Pilot Test to Ensure Software Compatibility 138
Determine the Authentication Method for the Disk 138
Encrypting a Disk 139
Supported Characters 140
Encrypting the Disk 140
Encountering Disk Errors During Encryption 143
Using a PGP-WDE Encrypted Disk 143
Authenticating at the PGP BootGuard Screen 144
Maintaining the Security of Your Disk 145
Viewing Key Information on an Encrypted Disk 145
Modifying the System Partition 145
Adding Other Users to an Encrypted Disk 145
Deleting Users From an Encrypted Disk 146
Changing User Passphrases 147
Re-Encrypting an Encrypted Disk 147
Backing Up and Restoring 148
Uninstalling PGP Desktop from Encrypted Disks 148
iv
PGP® Desktop for Mac OS X Contents
Using PGP WDE in a PGP Universal Server-Managed Environment 149
PGP Whole Disk Encryption Administration 149
Creating a Recovery Token 150
Using a Recovery Token 150
Recovering Data From an Encrypted Drive 151
Creating and Using Recovery Disks 151
Decrypting a PGP WDE-Encrypted Disk 152
Moving Removable Disks to Other Systems 153
Accessing Data on Encrypted Removable Disks 153
Special Security Precautions Taken by PGP Desktop 154
Passphrase Erasure 154
Virtual Memory Protection 154
Memory Static Ion Migration Protection 154
Other Security Considerations 155
Technical Details About Encrypting Boot Disks 156
Using PGP Virtual Disks 157
About PGP Virtual Disks 158
Creating a New PGP Virtual Disk 159
Viewing the Properties of a PGP Virtual Disk 162
Using a Mounted PGP Virtual Disk 162
Mounting a PGP Virtual Disk 163
Unmounting a PGP Virtual Disk 163
Set Mount Location 164
Compacting a PGP Virtual Disk 164
Re-Encrypting PGP Virtual Disks 165
Working with Alternate Users 166
Adding Alternate User Accounts to a PGP Virtual Disk 166
Deleting Alternate User Accounts From a PGP Virtual Disk 166
Disabling and Enabling Alternate User Accounts 167
Changing Read/Write and Read-Only Status 167
Granting Administrator Status to an Alternate User 168
Changing User Passphrases 168
Deleting PGP Virtual Disks 169
Maintaining PGP Virtual Disks 169
Mounting PGP Virtual Disk Volumes on a Remote Server 170
Backing up PGP Virtual Disk Volumes 170
Exchanging PGP Virtual Disks 171
The PGP Virtual Disk Encryption Algorithms 171
Special Security Precautions Taken by PGP Virtual Disk 172
Passphrase Erasure 172
Virtual Memory Protection 173
Memory Static Ion Migration Protection 173
Other Security Considerations 173
Accessing Mobile Data with PGP Portable 175
Accessing Data on a PGP Portable Disk 175
Changing the Passphrase for a PGP Portable Disk 177
v
PGP® Desktop for Mac OS X Contents
Unmounting a PGP Portable Disk 177
Using PGP Zip 179
Overview 179
Creating PGP Zip Archives 180
Opening a PGP Zip Archive 181
Verifying Signed PGP Zip Archives 182
Shredding Files with PGP Shredder 183
Using PGP Shredder to Permanently Delete Files and Folders 183
Shredding Files using the PGP Shredder icon 184
Shredding Files using the Shred Files Icon in the PGP Desktop Toolbar 185
Shredding Files using the Shred Command from the File menu 185
Shredding Files in the Finder 185
Setting PGP Desktop Preferences 187
Accessing PGP Desktop Preferences 187
General Preferences 188
Keys Preferences 189
Master Keys Preferences 191
Messaging Preferences 192
Proxy Options 194
Disk Preferences 196
Notifications Preferences 198
Advanced Preferences 200
Working with Passwords and Passphrases 201
Choosing whether to use a password or passphrase 201
The Passphrase Quality Bar 202
Creating Strong Passphrases 203
What if You Forget Your Passphrase? 205
Saving Your Passphrase in the Keychain 205
Using PGP Desktop with PGP Universal Server 207
Overview 207
For PGP Administrators 208
Manually binding to a PGP Universal Server 209
Index 211
vi
About PGP Desktop 10.1
1
for Mac OS X
PGP Desktop is a security tool that uses cryptography to protect your data
against unauthorized access.
PGP Desktop protects your data while being sent by email or by instant
messaging (IM). It lets you encrypt your entire hard drive or hard drive partition
(on Windows systems)—so everything is protected all the time—or just a
portion of your hard drive, via a virtual disk on which you can securely store your
most sensitive data. You can use it to share your files and folders securely with
others over a network. It lets you put any combination of files and folders into
an encrypted, compressed package for easy distribution or backup. Finally, use
PGP Desktop to shred (securely delete) sensitive files—so that no one can
retrieve them—and shred free space on your hard drive, so there are no
unsecured remains of any files.
Use PGP Desktop to create PGP keypairs and manage both your personal
keypairs and the public keys of others.
To make the most of PGP Desktop, you should be familiar with PGP Desktop
Terminology (on page
public-key cryptography, as described in Conventional and Public Key
Cryptography (on page
9). You should also understand conventional and
12).
In This Chapter
What's New in PGP Desktop for Mac OS X Version 10.1 ........................ 1
Using this Guide ........................................................................................ 3
Who Should Read This Document ............................................................ 4
About PGP Desktop Licensing .................................................................. 4
Getting Assistance .................................................................................... 7
What's New in PGP Desktop for Mac OS X Version 10.1
Building on PGP Corporation’s proven technology, PGP Desktop 10.1 for Mac
OS X includes numerous improvements and the following new and resolved
features.
1
PGP® Desktop for Mac OS X About PGP Desktop 10.1 for Mac OS X
Messaging
Improvements have been made to annotations. In a PGP Universal
Server-managed environment, your administrator can now specify where
the email annotation will be, such as end of message rather than wrapped
around the message.
You can now protect sent message copies for IMAP accounts (available for
standalone installations only) to provide additional security so you can
protect sensitive emails that you have sent using your IMAP account.
Choose to Encrypt, Encrypt and Sign, or Sign Only messages as they
are copied to your IMAP Sent Items mailbox.
In a managed environment, your PGP Universal Server administrator can
set policy to enable you to decide if you want to perform signature
verification on email messages. If enabled, a new button and/or menu
option appears in your Microsoft Outlook or Lotus Notes email client. The
button or option will be in the default state set by your administrator but
you can choose to override this setting.
In a managed environment, your PGP Universal Server administrator may
have specified certain PGP Notifier settings (for example, whether
notifications are to be displayed or the location of the notifier).
X.509 certificates included in an S/MIME email message sent to you can
now be imported to your key ring. The same settings you have specified
when public keys are found apply to these certificates. If specified, PGP
Desktop extracts and then imports the X.509 certificate to your keyring. If
you want to encrypt email using imported certificates, be sure to manually
sign the certificate.
In a managed environment, your PGP Universal Server administrator may
have specified a setting so that additional information is included in the
Non-Delivery Receipt when a message is blocked. If PGP Desktop is
unable to find a key for one or more of the recipients in a group list, the
email addresses are listed in the Error Details of the Non-Delivery Receipt.
PGP Portable
A link for More Info is now available on the PGP Portable dialog box
displayed when you access data on the device. Your browser launches and
the PGP Corporation Support site page is displayed.
You can now view available disk space and total size of the PGP Portable
Disk once the disk has been mounted. When you move your cursor over
the dock item for a few seconds, the PGP Notifier message appears and
displays the mount status of the PGP Portable Disk as well as the updated
disk space information.
2
PGP® Desktop for Mac OS X About PGP Desktop 10.1 for Mac OS X
PGP Whole Disk Encryption
AES-128 and AES-256 cipher algorithm for PGP Desktop for Mac OS X
have been enhanced to improve performance of encryption and decryption
times as well as disk access times for encrypted disks.
Enhancement to force the encryption of boot drives, by policy. This
includes forcing encryption if policy changed (for example, you previously
did not have to encrypt boot drives, and your administrator modified policy
to require encryption).
Using this Guide
This Guide provides information on configuring and using the components
within PGP Desktop. Each chapter of the guide is devoted to one of the
components of PGP Desktop.
“Managed” versus “Unmanaged” Users
A PGP Universal Server can be used to control the policies and settings used by
components of PGP Desktop. This is often the case in enterprises using PGP
software. PGP Desktop users in this configuration are known as managed
users, because the settings and policies available in their PGP Desktop software
are pre-configured by a PGP administrator and managed using a PGP Universal
Server. If you are part of a managed environment, your company may have
specific usage requirements. For example, managed users may or may not be
allowed to send plaintext email, or may be required to encrypt their disk with
PGP Whole Disk Encryption.
Users not under the control of a PGP Universal Server are called unmanaged or
standalone users.
This document describes how PGP Desktop works in both situations; however,
managed users may discover while working with the product that some of the
settings described in this document are not available in their environments. For
more information, see Using PGP Desktop with PGP Universal Server (on page
207).
Features Customized by Your PGP Universal Server Administrator
If you are using PGP Desktop as a "managed" user in a PGP Universal
Server-managed environment, there are some settings that can be specified by
your administrator. These settings may change the way features are displayed
in PGP Desktop.
3
PGP® Desktop for Mac OS X About PGP Desktop 10.1 for Mac OS X
Disabled features. Your PGP Universal Server administrator can enable or
disable specific functionality. For example, your administrator may disable
the ability to create PGP Zip archives, or to create PGP NetShare protected
folders (on Windows systems).
When a feature is disabled, the control item in the left side is not displayed
and the menu for that feature is not available. The graphics included in this
guide depict the default installation with all features enabled. The PGP
Desktop interface may look different if your administrator has customized
the features available.
Conventions Used in This Guide
Notes, Cautions, and Warnings are used in the following ways.
Notes: Notes are extra, but important, information. A Note calls your
attention to important aspects of the product. You will be able to use the
product better if you read the Notes.
Cautions: Cautions indicate the possibility of loss of data or a minor security
breach. A Caution tells you about a situation where problems could occur
unless precautions are taken. Pay attention to Cautions.
Warnings: Warnings indicate the possibility of significant data loss or a major
security breach. A Warning means serious problems are going to happen
unless you take the appropriate action. Please take Warnings very seriously.
Who Should Read This Document
This document is for anyone who is going to be using the PGP Desktop for Mac
OS X software to protect their data.
Note: If you are new to cryptography and would like an overview of the
terminology and concepts in PGP Desktop, see An Introduction to
Cryptography (it was installed onto your computer when you installed PGP
Desktop).
About PGP Desktop Licensing
A license is used within the PGP software to enable the functionality you
purchased, and sets the expiration of the software. Depending on the license
you have, some or all of the PGP Desktop family of applications will be active.
Once you have entered the license, you must then authorize the software with
PGP Corporation, either manually or online.
4
PGP® Desktop for Mac OS X About PGP Desktop 10.1 for Mac OS X
There are three types of licenses:
Evaluation: This type of license is typically time-delimited and may not
include all PGP Desktop functionality.
Subscription: This type of license is typically valid for a subscription period
of one year. During the subscription period, you receive the current version
of PGP software and all upgrades and updates released during this period.
Perpetual: This type of license allows you to use PGP Desktop indefinitely.
With the addition of the annual Software Insurance policy, which must be
renewed annually, you also receive all upgrades and updates released
during the policy term.
About PGP Desktop Licensing
To license PGP Desktop Do one of the following:
If you are a managed user, you are most likely already using a licensed
copy of PGP Desktop. Check your license details as described in Checking
License Details (on page
administrator.
5). If you have questions, please contact your PGP
If you are an unmanaged user, or a PGP administrator, check your license
details as described in Checking License Details (on page
authorize your copy of PGP Desktop, do so as described in Authorizing PGP
Desktop for Mac OS X (see "
page
Checking License Details
To see the details of your PGP Desktop license:
1 Open PGP Desktop.
2 From the PGP menu, select License. The License Information dialog box is
displayed. This dialog box displays:
Name: The name your license is registered to.
Organization: The organization your license is registered to.
Email: The email address associated with your license.
Type: The type of license you have, Enterprise or Home.
5). If you need to
Authorizing PGP Desktop or Mac OS X" on
6).
5
PGP® Desktop for Mac OS X About PGP Desktop 10.1 for Mac OS X
3 Click Details. The details of your license are displayed.
Expiration Date: The date your license expires.
Number of Seats: The number of seats available for this license.
Enabled Features: The components that are active in your license.
Disabled Features: The components that are not active in your
license.
Note: If you do not authorize your copy of PGP Desktop, only limited features
are available to you (PGP Zip and Keys).
Authorizing PGP Desktop or Mac OS X
If you need to change to a new license number, or if you skipped the license
authorization process during configuration, follow these instructions to authorize
your software.
Before you begin
If you purchased PGP Desktop, you received an order confirmation with
licensing information.
1 OpenPGP Desktop.
2 From the PGP menu, select License.
3 Click Change License.
4 Type the Name and Organization exactly as specified in your order
confirmation.
5 Type the Email address you want to assign to the licensing of the product.
6 Do one of the following:
Type your 28-character license number in the License Number fields
(for example, DEMO1-DEMO2-DEMO3-DEMO4-DEMO5-ABC).
6
PGP® Desktop for Mac OS X About PGP Desktop 10.1 for Mac OS X
Note: To avoid typing errors and make the authorization easier, copy the
entire license number, put the cursor in the first “License Number” field,
and paste. Your license number will be correctly entered into all six
License Number fields.
To purchase a PGP Desktop license, select Purchase Now. A Web
browser opens so you can access the online PGP Store.
7 Click Authorize.
8 When your license is authorized, click OK to complete the process.
Resolving License Authorization Errors
If you receive any error messages while authorizing your software, the ways to
resolve this issue vary based on the error message. See the HOWTO: License
PGP Desktop 10.1 section in the PGP Support Portal (
for suggestions.
https://support.pgp.com)
If Your License Has Expired
If your PGP Desktop license has expired, you will receive a PGP License
Expiration message when you launch PGP Desktop. See the following sections
for information on how an expired license affects the functionality of PGP
Desktop.
PGP Desktop Email
Outgoing email messages are no longer sent encrypted.
PGP Virtual Disk
PGP Virtual Disks are still accessible in Read-Only mode. Read-Only allows
data to be copied from a PGP Virtual Disk, however no data can be copied
to a PGP Virtual Disk.
PGP Whole Disk Encryption
Any fixed disks that have been encrypted with PGP Desktop are automatically
decrypted 90 days after the license expiration date.
Getting Assistance
For additional resources, see these sections.
7
PGP® Desktop for Mac OS X About PGP Desktop 10.1 for Mac OS X
Getting product information
Unless otherwise noted, online help is installed and is available within the PGP
Desktop product. Release notes are also available, which may have last-minute
information not found in the product documentation. The users guide and quick
start guides, provided as Adobe Acrobat PDF files, are available on the
Documentation (
Portal.
Once PGP Desktop is released, additional information regarding the product is
entered into the online Knowledge Base available on the PGP Support Portal
Web Site (
https://pgp.custhelp.com/app/docs) section on the PGP Support
https://support.pgp.com).
Contact Information
Contacting Technical Support
To learn about PGP support options and how to contact PGP Technical
Support, please visit the PGP Corporation Support Home Page
https://support.pgp.com).
(
To access the PGP Support Knowledge Base or request PGP Technical
Support, please visit PGP Support Portal Web Site
(https://support.pgp.com). Note that you may access portions of the
PGP Support Knowledge Base without a support agreement;
however, you must have a valid support agreement to request
Technical Support.
To access the PGP Support forums, please visit PGP Support
http://forum.pgp.com). These are user community support forums hosted
(
by PGP Corporation.
Contacting Customer Service
For help with orders, downloads, and licensing, please visit PGP
Corporation Customer Service (
https://pgp.custhelp.com/app/cshome).
Contacting Other Departments
For any other contacts at PGP Corporation, please visit the PGP Contacts
Page (
http://www.pgp.com/about_pgp_corporation/contact/index.html).
For general information about PGP Corporation, please visit the PGP Web
Site (
http://www.pgp.com).
8
PGP Desktop Basics
2
This section describes the PGP Desktop terminology and provides some
high-level conceptual information on cryptography.
In This Chapter
PGP Desktop Terminology ........................................................................ 9
Conventional and Public Key Cryptography............................................. 12
Using PGP Desktop for the First Time .................................................... 13
PGP Desktop Terminology
To make the most of PGP Desktop, you should be familiar with the terms in the
following sections.
PGP Product Components
PGP Desktop and its components are described in the following list. Depending
on your license, you may not have all functionality available. For more
information, see About PGP Desktop Licensing (on page
PGP Desktop: A software tool that uses cryptography to protect your data
against unauthorized access. PGP Desktop is available for Mac OS X and
Windows.
PGP Messaging: A feature of PGP Desktop that automatically and
transparently supports all of your email clients through policies you
control. PGP Desktop accomplishes this using a new proxy
technology; the older plug-in technology is also available. PGP
Messaging also protects many IM clients, such as AIM and iChat
(both users must have PGP Messaging enabled).
PGP Whole Disk Encryption: Whole Disk Encryption is a feature of
PGP Desktop that encrypts your entire hard drive or partition (on
Windows systems), including your boot record, thus protecting all
your files when you are not using them. You can use PGP Whole Disk
Encryption and PGP Virtual Disk volumes on the same system. On
Windows systems, you can protect whole disk encrypted drives with
a passphrase or with a keypair on a USB token for added security.
5).
9
PGP® Desktop for Mac OS X PGP Desktop Basics
PGP NetShare: A feature of PGP Desktop for Windows with which
you can securely and transparently share files and folders among
selected individuals. PGP NetShare users can protect their files and
folders simply by placing them within a folder that is designated as
protected.
PGP Keys: A feature of PGP Desktop that gives you complete control
over both your own PGP keys, and the keys of those persons with
whom you are securely exchanging email messages.
PGP Virtual Disk volumes: PGP Virtual Disk volumes are a feature of
PGP Desktop that let you use part of your hard drive space as an
encrypted virtual disk. You can protect a PGP Virtual Disk volume with
a key or a passphrase. You can even create additional users for a
volume, so that people you authorize can also access the volume. The
PGP Virtual Disk feature is especially useful on laptops, because if
your computer is lost or stolen, the sensitive data stored on the PGP
Virtual Disk is protected against unauthorized access.
PGP Shred: A feature of PGP Desktop that lets you securely delete
data from your system. PGP Shred overwrites files so that even file
recovery software cannot recover them.
PGP Viewer: Use PGP Viewer decrypt, verify, and display
messages outside the mail stream
PGP Zip: A feature of PGP Desktop that lets you put any combination
of files and folders into a single encrypted, compressed package for
convenient transport or backup. You can encrypt a PGP Zip archive to
a PGP key or to a passphrase.
PGP Universal: A tool for enterprises to automatically and transparently
secure email messaging for their employees. If you are using PGP Desktop
in a PGP Universal Server-managed environment, your messaging policies
and other settings may be controlled by your organization’s PGP
administrator.
PGP Global Directory: A free, public keyserver hosted by PGP
Corporation. The PGP Global Directory provides quick and easy access
to the universe of PGP keys. It uses next-generation keyserver
technology that queries the email address on a key (to verify that the
owner of the email address wants their key posted) and lets users
manage their own keys. Using the PGP Global Directory significantly
enhances your chances of finding a valid public key of someone to
whom you want to send secured messages. PGP Desktop is
designed to work closely with the PGP Global Directory.
Terms Used in PGP Desktop
Before you use PGP Desktop, you should be familiar with the following terms:
10
PGP® Desktop for Mac OS X PGP Desktop Basics
Decrypting: The process of taking encrypted (scrambled) data and making
it meaningful again. When you receive data that has been encrypted by
someone using your public key, you use your private key to decrypt the
data.
Encrypting: The process of scrambling data so that if an unauthorized
person gets access to it, they cannot do anything with it. The data is so
scrambled, it’s meaningless.
Signing: The process of applying a digital signature to data using your
private key. Because data signed by your private key can be verified only by
your public key, the ability to verify signed data with your public key proves
that your private key signed the data and thus proves the data is from you.
Verifying: The process of proving that the private key was used to digitally
sign data by using that person’s public key. Because data signed by a
private key can only be verified by the corresponding public key, the fact
that a particular public key can verify signed data proves the signer was the
holder of the private key.
Keypair: A private key/public key combination. When you create a PGP
“key”, you are actually creating a keypair. As your keypair includes your
name and your email address, in addition to your private and public keys, it
might be more helpful to think of your keypair as your digital ID—it
identifies you in the digital world as your driver’s license or passport
identifies you in the physical world.
Private key: The key you keep very, very private. Only your private key can
decrypt data that was encrypted using your public key. Also, only your
private key can create a digital signature that your public key can verify.
Caution: Do not give your private key, or its passphrase, to anyone! And
keep your private key safe.
Public key: The key you distribute to others so that they can send
protected messages to you (messages that can only be decrypted by your
private key) and so they can verify your digital signature. Public keys are
meant to be widely distributed.
Your public and private keys are mathematically related, but there’s no way
to figure out your private key if someone has your public key.
Keyserver: A repository for keys. Some companies host keyservers for the
public keys of their employees, so other employees can find their public
keys and send them protected messages. The PGP Global Directory
https://keyserver.pgp.com) is a free, public keyserver hosted by PGP
(
Corporation.
11
PGP® Desktop for Mac OS X PGP Desktop Basics
Smart cards and tokens: Smart cards and tokens are portable devices on
which you can create your PGP keypair or copy your PGP keypair. Creating
your PGP keypair on a smart card or token adds security by requiring
possession of the smart card or token in order to encrypt, sign, decrypt, or
verify. So even if an unauthorized person gains access to your computer,
your encrypted data is secure because your PGP keypair is with you on
your smart card or token. Copying your PGP keypair to a smart card or
token is a good way to use it away from your main system, back it up, and
distribute your public key. Smart cards and tokens are not available for key
storage when used with PGP Desktop for Mac OS X.
Conventional and Public Key Cryptography
Conventional cryptography uses the same passphrase to encrypt and decrypt
data. Conventional cryptography is great for data that isn’t going anywhere
(because it encrypts and decrypts quickly). However, conventional cryptography
is not as well suited for situations where you need to send encrypted data to
someone else, especially if you want to send encrypted data to someone you
have never met.
Public-key cryptography uses two keys (called a keypair) for encrypting and
decrypting. One of these two keys is your private key; and, like the name
suggests, you need to keep it private. Very, very private. The other key is your
public key, and, like its name suggests, you can share it with the general public.
In fact, you’re supposed to share.
Public-key cryptography works this way: let’s say you and your cousin in
another city want to exchange private messages. Both of you have PGP
Desktop. First, you both need to create your keypair: one private key and one
public key. Your private key you keep secret, your public key you send to a
public keyserver like the PGP Global Directory (keyserver.pgp.com), which is a
public facility for distributing public keys. (Some companies have their own
private keyservers.)
Once the public keys are on the keyserver, you can go back to the keyserver
and get your cousin’s public key, and she can go to the keyserver and get yours
(there are other ways to exchange public keys; for more information, see
Working with PGP Keys (on page
encrypted email message that only your cousin can decrypt, you encrypt it
using your cousin’s public key. What makes this work is that only your cousin’s
private key can decrypt a message that was encrypted using her public key.
Even you, who have her public key, cannot decrypt the message once it has
been encrypted using her public key. Only the private key can decrypt data
that was encrypted with the corresponding public key.
Your public and private keys are mathematically related, but there’s no feasible
way to figure out someone’s private key if you just have a public key.
43)). This is important because to send an
12
PGP® Desktop for Mac OS X PGP Desktop Basics
Using PGP Desktop for the First Time
PGP Corporation recommends the following procedure for getting started with
PGP Desktop:
1 Install PGP Desktop on your computer.
If you are a corporate user, your PGP administrator may have specific
installation instructions for you to follow or may have configured your PGP
installer with certain settings. Either way, this is the first step.
2 Let the Setup Assistant be your guide.
To help you get started, after you install PGP Desktop and reboot your
computer, the Setup Assistant is displayed. It assists with:
Licensing PGP Desktop
Creating a keypair—with or without subkeys (if you do not already
have a keypair).
Publishing your public key on the PGP Global Directory.
Enabling PGP Messaging
Giving you a quick overview of other features.
If your PGP Desktop installer application was configured by a PGP
administrator, the Setup Assistant may perform other tasks.
3 Exchange public keys with others.
After you have created a keypair, you can begin sending and receiving
secure messages with other PGP Desktop users (once you have
exchanged public keys with them). You can also use the PGP Desktop
disk-protection features.
Exchanging public keys with others is an important first step. To send them
secure messages, you need a copy of their public key, and to reply with a
secure message, they need a copy of your public key. If you did not upload
your public key to the PGP Global Directory using the Setup Assistant, do
so now. If you do not have the public key for someone to whom you want
to send messages, the PGP Global Directory is the first place to look. PGP
Desktop does this for you—when you send email, it finds and verifies the
keys of other PGP Desktop users automatically. It then encrypts your
message to the recipient public key, and sends the message.
4 Validate the public keys you get from untrusted keyservers.
13
PGP® Desktop for Mac OS X PGP Desktop Basics
When you get a public key from an untrusted keyserver, try to make sure
that it has not been tampered with, and that the key really belongs to the
person it names. To do this, use PGP Desktop to compare the unique
fingerprint on your copy of someone’s public key to the fingerprint on that
person’s key (a good way to do that is by telephoning the key’s owner and
having them read you the fingerprint information so that you can compare
it). Keys from trusted keyservers like the PGP Global Directory have already
been verified.
5 Start securing your email, files, and instant message (IM) sessions.
After you have generated your keypair and exchanged public keys, you can
begin encrypting, decrypting, signing, and verifying email messages and
files. The secure IM chat session feature generates its own keys
automatically, so you can use this feature even before you generate your
keypair. The only requirement is that you must be chatting with another
PGP Desktop user for the chat session to be secured.
6 Watch for information boxes from the PGP Desktop Notifier feature to
appear.
As you send or receive messages, or perform other PGP Desktop
functions, the PGP Desktop Notifier feature displays information boxes that
appear in whichever corner of the screen you specify. These PGP Notifier
boxes tell you the action that PGP Desktop took, or will take. After you
grow familiar with the process of sending and receiving messages, you can
change options for the PGP Notifier feature—or turn it off.
7 After you have sent or received some messages, check the logs to
make sure everything is working correctly.
If you want more information than the Notifier feature displays, the PGP
Log provides detailed information about all messaging operations.
8 Modify your messaging policies, if necessary.
Email messages are sent and received—automatically and seamlessly—if
PGP Desktop messaging policies are configured correctly. If your message
recipient has a key on the PGP Global Directory the default PGP Desktop
policies provide opportunistic encryption. Opportunistic encryption means
that, if PGP Desktop has what it needs (such as the recipient's verified
public key) to encrypt the message automatically, then it does so.
Otherwise, it sends the message in clear text (unencrypted). The default
PGP Desktop policies also provide optional forced encryption. This means
that, if you include the text “[PGP]” in the Subject line of a message, then
the message must be sent securely. If verified keys cannot be found, then
the message is not sent, and a Notifier box alerts you.
9 Start using the other features in PGP Desktop.
Along with its messaging features, you can also use PGP Desktop to
secure the disks that you work with:
14
PGP® Desktop for Mac OS X PGP Desktop Basics
Use PGP Whole Disk Encryption to encrypt a boot disk, disk partition
(on Windows systems), external disk, or USB thumb drive. All files on
the disk or partition are secured — encrypted and decrypted on the fly
as you use them. The process is completely transparent to you.
Use PGP Virtual Disk to create a secure “virtual hard disk.” You can
use this virtual disk like a bank vault for your files. Use PGP Desktop
or Windows Explorer or the Mac OS X finder to unmount and lock the
virtual disk, and your files are secure, even if the rest of your
computer is unlocked.
Use PGP Zip to create compressed and encrypted PGP Zip archives.
These archives offer an efficient way to transport or store files
securely.
Use PGP Shredder to delete sensitive files that you no longer need.
PGP Shredder removes them completely, eliminating any possibility of
recovery.
15
Installing PGP Desktop
3
This section describes how to install PGP Desktop onto your computer and how
to get started after installation.
In This Chapter
System Requirements............................................................................. 17
Installing and Configuring PGP Desktop.................................................. 17
Uninstalling PGP Desktop........................................................................ 22
Moving Your PGP Desktop Installation from One Computer to Another 23
System Requirements
The minimum system requirements to install PGP Desktop on your Mac OS X
system are:
Apple Mac OS X10.5.x or 10.6.x (Intel)
512 MB of RAM
64 MB hard disk space
Installing and Configuring PGP Desktop
This section includes information on installing or upgrading PGP Desktop, as
well as information on the Setup Assistant.
Installing the Software
Note: You must have administrative rights on your system in order to install
the update.
The PGP Desktop installer walks you through the installation process.
17
PGP® Desktop for Mac OS X Installing PGP Desktop
To install PGP Desktop on your Mac OS X system
1 Quit all other applications.
2 Mount the PGP DiskCopy image.
3 Double-click PGP.pkg.
4 Follow the on-screen instructions.
5 If prompted to do so, restart your system.
Note: If you are in a domain protected by a PGP Universal Server, your PGP
administrator may have preconfigured your PGP Desktop installer with
specific features and/or settings. In addition, if your PGP administrator set up
silent enrollment, your Windows domain password will be used for all
passphrase requirements in PGP Desktop. If specified by policy, PGP Whole
Disk Encryption may automatically start to encrypt your disk when your
Windows password is entered.
Using PGP Desktop with Apple Boot Camp
Apple Boot Camp is compatible with PGP Desktop ver 10.0 or later. To use PGP
Desktop with Boot Camp, you must install the software and encrypt the disk in
a specific order.
Before you begin, be sure you have installed Boot Camp correctly. For
information on how to set up Boot Camp, refer to the Boot Camp Installation
and Setup Guide (
from Apple. Note that in order to use Windows XP in the Windows partition,
you much configure the partition as FAT32. PGP Desktop does not support
installing Linux on a partition in Boot Camp.
If you need to decrypt your disk, PGP Corporation recommends that you do so
from the Mac OS X partition.
For more information on using PGP Desktop with Apple Boot Camp, see PGP
KB Article 1697 (
Note: Be sure that your disk is not encrypted (if it is, decrypt the disk before
installing Boot Camp) and then uninstall PGP Desktop.
To use Apple Boot Camp in a standalone environment
1 Install Apple Boot Camp.
2 Install PGP Desktop on the Mac OS X partition and complete installation
with the setup assistant.
http://manuals.info.apple.com/en/boot_camp_install-setup.pdf)
https://support.pgp.com/?faq=1697).
3 Boot into the Windows partition and install PGP Desktop on the Windows.
Do not run the setup assistant on the Windows partition.
18
PGP® Desktop for Mac OS X Installing PGP Desktop
4 Boot into the Mac OS X partition and encrypt your disk. At this point, if you
pause the encryption process while running Mac OS X, you can boot into
the Windows partition but you must resume encryption while running Mac
OS X.
To use Apple Boot Camp in a PGP Universal Server-managed
environment
1 Install Apple Boot Camp.
2 Boot into the Windows partition and install PGP Desktop on the Windows.
Do not run the setup assistant on the Windows partition.
3 Install PGP Desktop on the Mac OS X partition and complete enrollment
with the setup assistant.
4 While still booted into the Mac OS X partition, begin to encrypt your disk.
At this point, if you pause the encryption process while running Mac OS X,
you can boot into the Windows partition but you must resume encryption
while running Mac OS X.
Upgrading the Software
Note: PGP Desktop for Mac OS X, and PGP Universal Satellite for Mac OS X
cannot both be installed in the same system. The installers for both products
will detect the presence of the other program and end the install.
You can upgrade to PGP Desktop for Mac OS X from a previous version of one
of the following products:
PGP Desktop for Mac OS X
PGP Universal Satellite for Mac OS X
Important Note: If you are upgrading your computer to a new version of the
operating system and want to use this version of PGP Desktop, be sure to
uninstall any previous versions of PGP Desktop before upgrading the OS and
installing this release. Be sure to back up your keys and keyrings before
uninstalling. Note that if you have used PGP Whole Disk Encryption, you will
need to unencrypt your disk before you can uninstall PGP Desktop.
Upgrading PGP Desktop
Do one of the following:
From PGP Desktop 8.x or 9.x for Mac OS X, begin the installation
process for PGP Desktop 10.1 for Mac OS X.
19
PGP® Desktop for Mac OS X Installing PGP Desktop
The existing version of PGP Desktop for Mac OS X is automatically
uninstalled, then PGP Desktop 10.1 for Mac OS X is installed. Existing
keyrings and PGP Virtual Disk files are usable in the upgraded version.
From a version of PGP Desktop for Mac OS X prior to Version 8.0, you
must manually uninstall the existing software before beginning the
installation of PGP Desktop 10.1 for Mac OS X. Existing keyrings and PGP
Virtual Disk files are usable in the upgraded version.
Upgrading from PGP Universal Satellite
Do one of the following:
From PGP Universal Satellite version 1.2 or previous for Mac OS X,
begin the installation process for PGP Desktop 10.1 for Mac OS X.
Existing versions of PGP Universal Satellite for Mac OS X are automatically
uninstalled, then PGP Desktop 10.1 for Mac OS X is installed. Existing
settings are retained.
Caution: Installing any version of PGP Universal Satellite on top of PGP
Desktop 10.1 for Mac OS X is an unsupported configuration. Neither
program will work correctly. Uninstall both programs and then reinstall
only PGP Desktop.
Checking for Updates
From PGP Desktop for Mac OS X (version 8.x) and PGP Universal
Satellite: Follow the installation process for PGP Desktop 10.1 for Mac OS
X.
PGP Desktop for Mac OS X and PGP Universal Satellite for Mac OS X are
both automatically uninstalled, then PGP Desktop 10.1 for Mac OS X is
installed. Existing keyrings and PGP Virtual Disk files are usable in the
upgraded version, as are existing PGP Universal Satellite for Mac OS X
settings.
Note: The option to automatically check for updates is no longer available in
PGP Desktop, starting with version 10.1. To check for an update or to install
an update, you must manually download the file.
With the acquisition of PGP Corporation by Symantec Corporation, PGP
operations is in the process of integrating with Symantec operations. When
checking to see if there are updates, or to download an update, use the second
download link if the first link does not appear operational.
To upgrade PGP Desktop, do the following:
Go to the PGP License and Entitlement Management System (LEMS) and
https://lems.pgp.com/account/login). If the update for PGP Desktop
log in (
is not available, then
20
PGP® Desktop for Mac OS X Installing PGP Desktop
Go to Symantec FileConnect (https://fileconnect.symantec.com/), select
your language, and enter your serial number.
Upgrading From Standalone to Managed PGP Desktop Installations
If you have been using PGP Desktop in standalone mode and now will be
managed by a PGP Universal Server, you must install a bound and stamped
version of PGP Desktop over your existing, standalone installation. You must
also complete the enrollment process. Your PGP Administrator will provide an
installation file so you can install a bound and stamped version.
Upgrading the Operating System Software
If you are upgrading your computer to a new major release of the operating
system (for example, on a Windows system to Windows Vista or on a Mac OS
X system from 10.4.x to 10.5.x), be sure to do the following:
1 Back up your keys and keyrings before uninstalling.
2 If you have used PGP Whole Disk Encryption, decrypt your disk before you
uninstall PGP Desktop.
3 Uninstall any previous versions of PGP Desktop before upgrading to the
new version of the operating system.
4 Once you have upgraded your version of the operating system, reinstall
PGP Desktop. Import your keys/keyring and, if necessary, you can then
encrypt your disk.
Licensing PGP Desktop
For license information for this release, see the PGP Desktop Release Notes.
Running the Setup Assistant
The Setup Assistant displays a series of screens that ask you questions—then
uses your answers to configure PGP Desktop for you.
If you have questions about any of the content on the Setup Assistant screens,
click Help on the screen.
The Setup Assistant does not configure all PGP Desktop settings. When you
finish going through the Setup Assistant screens, you can then configure those
settings not covered in the Setup Assistant.
21
PGP® Desktop for Mac OS X Installing PGP Desktop
Integrating with Entourage 2008
The PGP Desktop for Mac OS X installation package includes scripts so you can
integrate PGP Desktop with Entourage. Once the scripts are copied to the
required folders, the Scripts menu in Entourage includes a PGP menu option.
Use the Entourage scripts to encrypt email text without having to use an email
proxy.
To integrate PGP scripts with Entourage
1 If it is running, quit Entourage.
2 Open the PGP Desktop for Mac OS X download.
3 In the PGP Desktop download folder, open the Extras folder.
4 In the Extras folder, open the Entourage folder.
5 Double-click the file EntourageScripts.zip to extract the following
scripts from the zip file:
Decrypt & Verify\mod
Encrypt & Sign\moc
Encript\moe
Sign\mos
6 Copy and paste the scripts to the following folder:
User Profile\Documents\Microsoft User Data\Entourage Script Menu
items\PGP
7 Start Entourage. The Scripts menu now includes a PGP menu option.
See Using PGP Scripts with Entourage 2008 (on page
how to encrypt and decrypt messages.
Uninstalling PGP Desktop
To uninstall PGP Desktop
1 In PGP Desktop, from the PGP menu, select Uninstall. A confirmation
dialog box is displayed.
2 Click Yes to continue with the uninstall process.
3 You are prompted to authenticate as the administrative user of the Mac OS
X system from which you are uninstalling PGP Desktop. Enter the
appropriate password, then click OK. The PGP Desktop software is
removed from your system.
119) for information on
22
PGP® Desktop for Mac OS X Installing PGP Desktop
Your keyring and PGP Virtual Disk files are not removed from your system, in
case you decide to reinstall PGP Desktop in the future.
Moving Your PGP Desktop Installation from One Computer to Another
Moving a PGP Desktop installation from one computer to another is not a
difficult process, although there are a few crucial steps which must be
completed successfully. The process consists of the following steps:
To transfer your PGP Desktop installation to another computer
1 Uninstall PGP Desktop. To do this, in PGP Desktop from the PGP menu,
select Uninstall.
Note that this step does not remove the keyring files.
2 Transfer the keyrings. To do this, copy the keyring files (both
pubring.pkr and secring.skr) from the old computer to removable
media such as a flash drive, and then copy them to the new computer. The
default location for the keyring files is in the PGP folder.
If PGP Desktop has never been installed on the new computer, create this
folder first before copying the keyring files to the computer.
3 Install PGP Desktop on the new computer. To do this, download PGP
Desktop by clicking the download link in your original PGP order
confirmation email.
4 During the installation process, do the following:
During the PGP Desktop setup wizard on the new computer select
No, I have existing keyrings and specify the location where you
copied the keyring files to on the new computer.
Use the same name, organization, and license number used when
PGP Desktop was originally authorized.
23
The PGP Desktop User
4
Accessing PGP Desktop Features
Interface
This section describes the PGP Desktop user interface.
In This Chapter
Accessing PGP Desktop Features........................................................... 25
PGP Desktop Notifier alerts..................................................................... 30
PGP Desktop and the Finder ................................................................... 35
Viewing the PGP Log............................................................................... 41
There are four main ways to access PGP Desktop:
PGP Desktop Main Screen (on page 26)
Using the PGP Desktop Icon in the Menu Bar (on page 27)
Using the PGP Dock Icon (on page 28)
Using the Mac OS X Finder (on page 29)
25
PGP® Desktop for Mac OS X The PGP Desktop User Interface
PGP Desktop Main Screen
The main screen of PGP Desktop is your primary interface to the product.
The PGP Desktop main screen includes:
1
The search field. Lets you search for keys on the local
keyring. Simply enter characters and the names and
email addresses on the local keyring that include those
characters will display. Click Advanced Search for
more search criteria.
2
The PGP Desktop Work area. Displays information
about and actions you can take for the selected item.
3
The Toolbar. Provides access to frequently used
features. You can:
Create a new PGP Zip archive.
Create a new PGP Virtual Disk.
Mount an existing PGP Virtual Disk.
Synchronize keys.
Shred files.
4
The Keys item. Gives you control over the PGP keys
that PGP Desktop is managing for you.
5
The PGP Disk item. Use this item to view and manage
PGP Virtual Disk volumes. Also, you can use this item to
create new PGP Virtual Disk volumes, as well as
encrypting an entire non-boot disk using the PGP Whole
26
PGP® Desktop for Mac OS X The PGP Desktop User Interface
Disk Encryption feature.
6
The PGP Messaging item. Use this item to manage
PGP Messaging services. You can also use this item to
create new services and policies, and manage existing
services and policies.
7
The Keyservers item. Use this item to view and
manage keyservers.
( not shown) The PGP Zip item. Use this item to view
and manage PGP Zip archives.
Using the PGP Desktop Icon in the Menu Bar
One way to access many PGP Desktop features is from the PGP Desktop icon
in the Menu Bar.
When you click the PGP Desktop icon in the Menu Bar, the PGP menu is
displayed. Note that not all options may be available, depending on if you are a
standalone or managed installation.
About PGP Desktop. Displays a window with information about the
version of PGP Desktop you are using, licensing information, and a list of
the people who helped create PGP Desktop. This window also has a
button that you can use to uninstall PGP Desktop.
Help. Opens the PGP Desktop integrated online help.
Open PGP Desktop. Opens the PGP Desktop main screen.
Open PGP Viewer. Opens PGP Viewer so you can decrypt email out of the
mail stream.
View Notifier. Displays the PGP Desktop Notifier box, so you can review
the Notifier messages that have appeared.
Show Log. Displays the PGP Desktop Log. Use the PGP Desktop Log to
see what actions PGP Desktop is taking to secure your data.
Clear Log. Clears the PGP Log.
Update Policy. Manually downloads policy from the PGP Universal Server.
This option is available only for managed installations.
Change Passphrase. Provides a shortcut so you can change your
passphrase on your key. This option is available only for managed
installations.
27
PGP® Desktop for Mac OS X The PGP Desktop User Interface
Purge Caches. Clears from memory any cached information, such as
passphrases and cached public keys.
Hide. Removes the PGP icon from the menu bar, but leaves the
background parts of the application running.
The Hide command becomes the Quit command if you hold down the
Option key before clicking the PGP Desktop icon. This removes the PGP
Desktop icon from the menu bar and causes the background parts of PGP
Desktop to quit. Shortcut menu functionality continues to work.
Caution: If you use the Option key and the PGP Menu Bar icon to quit the
background parts of PGP Desktop, email messages are no longer
encrypted, decrypted, signed, or verified. You may also not be able to
decrypt messages received while the background parts of PGP Desktop
were not running, even after they are started again. Finally, no key
management is done while the background parts of the software is not
running. For these reasons, it is recommended that you keep the PGP
Desktop background processes running at all times.
To restart the background processes of PGP Desktop if the application is
not running
1 Locate the PGP Desktop application on your system. The default location is
in the Applications folder.
2 Double-click the PGP Desktop application icon. PGP Desktop starts and its
icon is displayed in the Menu Bar.
Using the PGP Dock Icon
One way to access many PGP Desktop features is from the PGP Dock icon.
Use the PGP Desktop icon in the Mac OS X Dock in any of these ways, then
select an option from the menu displayed:
Click the PGP Desktop Dock icon and hold the mouse button down.
Ctrl+click the Dock icon.
Right-click the Dock icon, if you are using a two-button mouse.
The PGP Desktop icon is displayed in the Dock when the application is open, or
when you have put the PGP Desktop icon into the Dock manually.
When you click and hold the PGP Desktop icon in the Dock when the
application is already open (or Ctrl+click it, or use the right mouse button if you
are using a two-button mouse), a menu is displayed giving you access to the
following commands:
28
PGP® Desktop for Mac OS X The PGP Desktop User Interface
Any currently-open PGP Desktop windows. If PGP Desktop is currently
running, any of its windows that you have open appear at the top of this
menu.
About PGP Desktop. Displays the PGP Desktop About dialog box. The
About dialog box displays the PGP Desktop credits, what version you are
currently using, and has a button that you can use to uninstall the PGP
Desktop software.
Preferences. Opens the PGP Desktop Preferences.
Clipboard. Lets you Encrypt, Sign, Encrypt & Sign, or Decrypt/Verify the
contents of the Clipboard.
Purge Caches. Clears from memory any cached information, such as
passphrases and cached public keys.
The remaining menu items, in the lowest section of the menu, are standard
Mac OS X Dock items:
Remove from Dock/Keep in Dock. Removes or adds the PGP Desktop
icon in the Dock.
Open at Login. Sets your Mac OS X Account System Preference so that
PGP Desktop starts when you log on to your computer.
Show In Finder. Shows the location of the PGP Desktop application in a
Finder window.
Hide. Hides any PGP Desktop application screens.
Quit. Quits the PGP Desktop application.
If you click and hold the PGP Desktop icon in the Dock when the application is
not open, you see the standard Mac OS X Dock items.
Using the Mac OS X Finder
From the Desktop or a Finder window, Ctrl+click a file or folder (or right-click it if
you have two-button mouse) then select PGP from the shortcut menu
displayed.
You can also access PGP Desktop functions from the Mac OS X Finder.
To use the Mac OS X Finder
1 Open a Finder window.
2 Ctrl+click (or right-click, if you are using a two-button mouse) the desired
file or folder.
3 Select the appropriate option from the PGP shortcut menu. Choose
Encrypt, Sign, Encrypt & Sign, Decrypt/Verify, Shred, or Mount (if you
have PGP Virtual Disks).
Tip: You can also right-click a file or folder from the Desktop.
29
PGP® Desktop for Mac OS X The PGP Desktop User Interface
PGP Desktop Notifier alerts
The PGP Desktop Notifier feature displays a small information box that tells you
the status of incoming and outgoing email messages, as well as instant
messaging sessions.
In a PGP Universal Server-managed environment, your administrator may have
specified certain notifications settings (for example, whether notifications are to
be displayed or the location of the notifier). In this case, you may not see any
notifier messages at all.
PGP Desktop Notifier for Messaging
Use the PGP Desktop Notifier for Messaging feature to:
See if an incoming email is properly decrypted and/or signed.
See if an outgoing email is properly encrypted and/or signed.
Stop an email message from being sent if the encryption options are not
what you want.
View a quick summary of the sender, subject, and encryption key of an
email.
Review, at any time, the status of previous incoming or outgoing messages
for that Windows session.
See that a chat session with another PGP Desktop user is being secured.
Use the PGP Desktop Notifier feature to monitor all or some of your incoming
email, as well as maintain precise control over all or some of your outgoing
messages. The choice is yours. You can set various Notifier options, or turn the
PGP Desktop Notifier feature completely off if you prefer.
Some additional points about the PGP Desktop Notifier feature:
For message notifications, use the left and right arrow buttons in the
upper-right corner of the Notifier box to scroll Notifier messages forward or
backward. This way, you can review messages that came before or after
the message you are viewing currently.
When they first display, Notifier message boxes have a partially transparent
appearance to prevent obscuring anything on your screen. Notifier
message boxes become opaque if you move your cursor over them, and
become translucent again when you move your cursor away from them.
Unless the cursor is over them, Notifier messages display for four seconds
(this default setting can be changed in the Notifier options). If you want
more time to read a Notifier, move your cursor over the Notifier and it
remains on your display.
30
PGP® Desktop for Mac OS X The PGP Desktop User Interface
If you completely miss reading a Notifier, or you would like to review
previous ones, do the following:
On Windows systems, choose View Notifier from the PGP Tray icon.
On Mac OS X systems, choose View Notifier from the PGP Desktop
icon in the Mac OS X Menu Bar.
Close a Notifier message by clicking the X (in the upper right corner of the
message on Windows systems, in the upper left corner on Mac OS X
systems).
For more information about setting PGP Desktop Notifier options, see Notifier
Options (see "Notifications Preferences" on page 198).
Incoming PGP Desktop Notifier messages
Notifications for incoming email provide information on whether the email was
decrypted and verified, or decrypted and signed by an unverified or unknown
key.
Outgoing PGP Desktop Notifier messages
For simple notification, choose to have a PGP Desktop Notifier appear
momentarily when email is sent (all email, or email meeting certain criteria). The
notifier message displays information that PGP Desktop is searching for the
public keys of the person in the To line. When the appropriate keys are found,
the Status line changes to indicate the message will be sent encrypted. If the
appropriate keys cannot be found, PGP Desktop follows policy and may send
the message unencrypted or block the message.
After a message has been sent encrypted, click More to see the details of how
PGP Desktop handled the message. It is not necessary for you to view this
additional information unless you want to see it. To hide the additional
information again, click Less.
You can delay a message from being sent by moving your cursor over the
Notifier box. If you do not do this within 4 seconds (you can set this interval in
preferences for the Notifier feature) the message is sent unencrypted, and the
Status field reflects that.
If you do move your cursor over the message, Block and Send buttons appear
in the Notifier box. Click Block to stop the message from being transmitted, or
Send to send the message.
If you send an email to more than one recipient, and PGP Desktop is able to find
keys for some recipients but not others, the Notifier informs you of the status,
and gives you two options:
Send the email encrypted to those with keys, and unencrypted to those
without them.
Block the message so it is sent to no one.
31
PGP® Desktop for Mac OS X The PGP Desktop User Interface
Outgoing PGP Desktop Notifier Messages for Offline Policy
If you are using PGP Desktop in a PGP Universal Server-managed environment,
your administrator may have specified what actions to take on outgoing
messages if the PGP Universal Server is not available. The outgoing notifier
message indicates one of the following:
Your PGP Universal Server is not available and policy has been set to block
all messages. Email messages remain in your outbox and are sent when
the PGP Universal Server can be contacted.
Your PGP Universal Server is not available and policy has been set to send
all messages in the clear.
Your PGP Universal Server is not available and policy has been set to allow
your local policy to take precedence.
In the latter two cases, you can choose to send or block the outgoing message
as you would any other outgoing message.
PGP Notifier for Instant Messaging
If you have PGP Desktop installed on your computer, and if you have specified
to receive Notifiers for Instant Messaging (under the Notifications tab in PGP
Desktop Preferences), then PGP Desktop Notifiers alert you when the AOL
Instant Messenger (AIM) sessions that you have with other PGP Desktop users
are protected.
When you use the secure instant messaging feature, a Notifier displays when
you log on to the instant messaging program to inform you that your chat is
secure, and a padlock icon displays next to your “buddy name” with most
AIM-compliant instant messaging clients.
When you log off of your instant messaging program, a final Notifier message
informs you that the secure session has ended.
For more information on proper configuration, as well as the use of the secure
instant message chat feature, see Securing Instant Messages.
Enabling or Disabling Notifers
In a PGP Universal Server-managed environment, your administrator may have
specified certain notifications settings (for example, whether notifications are to
be displayed or the location of the notifier). In this case, the Notifications
Preferences panel is not available and not displayed.
To enable or disable Notifiers
1 Open PGP Desktop and select PGP > Preferences.
32
PGP® Desktop for Mac OS X The PGP Desktop User Interface
2 Click the Notifier icon.
3 Under Usage, specify if you want to Use PGP Notifer and, if so, the
location. PGP Desktop Notifications can appear at any of the four corners of
your screen (Lower Right, Lower Left, Upper Right, or Upper Left).
Select the corner that you want PGP Desktop Notifications to appear. The
default position is Upper Left.
4 If you are using PGP Desktop Messaging and you want PGP Desktop
Notifiers to appear, informing you of encryption and/or signing status when
you send email, select the checkbox to Notify when processing
outbound email. Deselect this checkbox to stop PGP Desktop Notifiers
from appearing when you send mail.
5 PGP Desktop looks for a public key for every recipient of the email
messages that you send. By default, if it cannot find a public key for a
recipient, it sends that email in the clear (without encryption). Select Ask
me before sending email when the recipient’s key is not found if you
want to be notified when a key is not found and be given a chance to block
the email so that it is not sent. Then specify the following options:
Always ask me before sending email: Select this checkbox if you
would prefer approving every email that you send. You can review the
encryption status in the Notifier, and either send or block the email.
Delay outbound email for n second(s) to confirm (where n is a
number from 1-30; the default is 4 seconds). To change the amount of
time that outbound messages are delayed, and a PGP Desktop
Notifier is displayed, click the up or down arrows. Use the delay
period to review the PGP Desktop Notifier message.
(For more information on the PGP Desktop default policy settings, see
Services and Policies (on page
90).)
6 For incoming email, specify how you are notified of its status upon arrival.
Select one of the following for Display notifications for incoming mail:
When receiving secured email—A Notifier appears whenever you
receive secured email. The box displays who the email is from, its
subject, its encryption and verification status, and the email address of
the person sending it.
Only when message verification fails—For incoming email, you see
a Notifier only when PGP Desktop is unable to verify the signature of
the incoming email.
Never—If you do not need or want to see a Notifier as you receive
email, select this option. This option does not affect Notifiers for
outgoing mail.
7 If you want a PGP Desktop Notifier to appear briefly when you begin a
secure instant message chat, and appear briefly again when the chat ends,
select the checkbox to Notify for status of PGP Encrypted IM sessions.
33
5
PGP Desktop and the Finder
This section describes how you can access certain PGP Desktop functions
using shortcut menus in the Finder.
In This Chapter
Overview ................................................................................................. 35
Encrypt, Sign, or Encrypt and Sign .......................................................... 36
Shred ....................................................................................................... 37
Decrypt/Verify .......................................................................................... 38
Mount or Unmount a PGP Virtual Disk Volume....................................... 39
Import a PGP Key .................................................................................... 39
Add PGP Public Keys to Your Keyring ..................................................... 40
Extract the Contents of a PGP Zip Archive.............................................. 40
Overview
Access PGP Desktop functions using shortcut menus in the Finder to get the
same PGP Desktop functionality from the Mac OS X Services menu.
Depending on what you select, you can:
Encrypt, Sign, or Encrypt and Sign
Shred
Decrypt/verify
Mount, edit, or unmount a PGP Virtual Disk volume
Import a PGP key
Add PGP keys to your keyring
View the contents of a PGP Zip archive Access shortcut menus in the Finder by:
Ctrl+clicking: With a one-button mouse, hold down the Control (ctrl) key on
the keyboard and click the item.
35
PGP® Desktop for Mac OS X The PGP Desktop User Interface
Right-clicking: On a two-button mouse, click the item with the right mouse
button held down.
In this document, the Ctrl+click method is used. If you right-click or use a
different method for accessing shortcut menus in the Finder, substitute that
method where it says to Ctrl+click.
Note: Files “in the Finder” also include files on the Mac OS X Desktop.
Encrypt, Sign, or Encrypt and Sign
PGP Desktop lets you encrypt, sign, or encrypt and sign unencrypted files,
folders, and even entire drives from the Finder.
Encrypting and/or signing files and folders is a good way to protect just a few
important files and/or folders in a situation where a PGP Virtual Disk volume is
not justified.
If you are considering encrypting and/or signing a drive in the Finder, a PGP
Virtual Disk volume might be a better solution. For more information, see Using
PGP Virtual Disks.
To encrypt and/or sign files and/or folders in the Finder
1 In the Finder, select the files and/or folders you want to encrypt and/or
sign. Use the Shift or Command keys to select any combination of files and
folders.
2 Ctrl+click the selected files and/or folders, or right-click if you have a
two-button mouse. From the shortcut menu, choose Encrypt & Sign from
the PGP menu. (If you select just Encrypt, you will not be prompted for a
signing key; if you select just Sign, you will not be prompted to select a
public key to encrypt to.) The PGP Recipients dialog box is displayed.
3 Drag the public keys of the persons you want to be able to decrypt the
items you are encrypting into the Recipients field at the bottom of the
dialog box.
4 Click the down arrow icon above the OK button to specify the appropriate
options:
Conventional Encrypt. Select this checkbox to rely on a common
passphrase rather than on public-key cryptography. The file is
encrypted using a session key, which encrypts (and decrypts) using a
passphrase you specify.
If you are using PGP Desktop in a PGP Universal Server-managed
environment, conventional encryption may be disabled.
36
PGP® Desktop for Mac OS X The PGP Desktop User Interface
Text Output. When sending files as attachments with some email
applications, you may need to select the Text Output checkbox to
save the file as ASCII text. This is sometimes necessary in order to
send a binary file using older email applications. Selecting this option
increases the size of the encrypted file by about 30 percent.
Shred Original. Select this checkbox to overwrite the original
document that you are encrypting, so that your sensitive information
is not readable by anyone who can access your system.
MacBinary. MacBinary is the standard method by which a Mac OS X
file is converted into a single file so that it can be transferred to
another Macintosh or PC without losing either its Data or Resource
segment. Options are Yes, No, or Smart.
Yes means the whole file is included, including the Mac OS X specific
information. No means only the data segment is included. Smart
means the file type determines if the Mac OS X specific information is
included.
5 Click OK. If you selected the Conventional Encryption option, you are
prompted for a passphrase to protect the encrypted items.
Shred
6 Enter a passphrase, enter it again, then click OK. The Enter PGP
Passphrase dialog box is displayed.
7 Using the Signing Key list, specify a private key to be used to sign the
items you are encrypting and signing, then enter the passphrase of the
signing key. If the passphrase is cached, you do not have to enter it.
Normally, as an added level of security, the characters you enter for the
passphrase do not appear on the screen. However, if you are sure that no
one is watching (either physically or over the network) and you would like
to see the characters of your passphrase as you type, select the Show
Keystrokes checkbox.
8 To save your passphrase in the Mac OS X Keychain, select the box. You
will not need to enter the passphrase the next time you access this
feature.
9 Click OK. A PGP Zip archive (<file name>.pgp) file is created at the same
location as the encrypted and signed items.
For those situations where you want to be absolutely certain that specific files
and/or folders are securely deleted from your system, you can Shred them from
the Finder.
Putting a file or folder into the Mac OS X Trash just allows new files to
overwrite the file or folder you think you are “deleting.” In fact, there could be
days, weeks, or even months when just about anyone with physical access
your system could retrieve these files.
37
PGP® Desktop for Mac OS X The PGP Desktop User Interface
The PGP Desktop Shred feature, in comparison, overwrites your files multiple
times as soon as you ask them to be shredded. For more information about
how thoroughly the Shred feature erases your files, see Shredding Files.
To Shred files and/or folders in the Finder
1 In the Finder, select the files and/or folders you want to Shred. Use the
Shift or Command keys to select any combination of files and folders.
2 Ctrl+click the selected files and/or folders, or right-click if you are using a
two-button mouse.
3 Choose PGP, then Shred from the shortcut menu. A PGP screen is
displayed, asking if you are sure you want to Shred the listed files.
4 Click OK. The file(s) are Shredded (secure deleted) from your system; they
do not appear in the Trash.
Decrypt/Verify
If you have a PGP Zip (.pgp) file on your system, you can decrypt and verify it in
the Finder. Decrypt/verify will always decrypt an encrypted (.pgp) file. However,
if the encrypted file was not signed, then the file will not be verified (as there’s
no signature to verify).
You can also decrypt/verify a PGP key (.asc) file, but this is just for importing
the keys, not for decrypting or verifying the file. For more information about
importing PGP keys from a .asc file in the Finder, see Import a PGP Key (on
39).
page
To decrypt/verify a PGP Zip file in the Finder
1 In the Finder, select the PGP Zip (.pgp) file you want to decrypt/verify.
2 Ctrl+click the selected files and/or folders, or right-click if you are using a
two-button mouse. Choose PGP, then Decrypt & Verify from the shortcut
menu. The Enter PGP Passphrase dialog box is displayed.
3 Enter the appropriate passphrase for the private key. If the passphrase is
cached, you aren’t prompted for it.
Normally, as an added level of security, the characters you enter for the
passphrase do not appear on the screen. However, if you are sure that no
one is watching (either physically or over the network) and you would like
to see the characters of your passphrase as you type, select the Show
Keystrokes checkbox.
4 To save your passphrase in the Mac OS X Keychain, select the box. You
will not need to enter the passphrase the next time you access this
feature.
38
PGP® Desktop for Mac OS X The PGP Desktop User Interface
5 Click OK. The file is decrypted at the location of the .pgp file. If the file
was signed, PGP Desktop opens the Verification Info window and displays
the results of the verification of the file.
Mount or Unmount a PGP Virtual Disk Volume
If you have an unmounted PGP Virtual Disk (.pgd) file, you can mount the
corresponding PGP Virtual Disk volume from the Finder. For more information
about PGP Virtual Disk volumes, see Using PGP Virtual Disks.
To mount a PGP Virtual Disk volume from the Finder
1 In the Finder select the PGP Disk (.pgd) file for the volume you want to
mount. Ctrl+click the selected .pgd file, or right-click if you are using a two
button mouse. From the PGP menu, select Mount. The Enter PGP
Passphrase dialog box is displayed.
2 Enter the passphrase that protects the PGP Disk volume you want to
mount.
Import a PGP Key
Normally, as an added level of security, the characters you enter for the
passphrase do not appear on the screen. However, if you are sure that no
one is watching (either physically or over the network) and you would like
to see the characters of your passphrase as you type, click Typing Hidden.
3 Click OK. The PGP Disk volume is mounted.
To unmount a PGP Virtual Disk volume in the Finder
1 Select the mounted PGP Disk (.pgd) file for the volume you want to
unmount.
2 Ctrl+click the .pgd file, or right-click if you are using a two-button mouse.
From the shortcut menu, choose Unmount from the PGP menu. The
selected PGP Disk volume is unmounted.
Tip: If the menu says Mount, then the volume is already unmounted.
PGP keys can be exported from PGP Desktop as .asc files. This is a good way
to back up your keys or exchange your public keys with others. If you have an
.asc file on your system that includes a PGP key that you want on your
keyring, you can import it from the Finder.
39
PGP® Desktop for Mac OS X The PGP Desktop User Interface
To import keys from an .asc file in the Finder
1 In the Finder, locate the PGP key (.asc) file with the PGP keys you want to
import.
2 Double-click the selected .asc file. PGP Desktop opens and the Select
Keys dialog box is displayed.
3 Select the PGP key(s) you want to import, then click OK. The selected
key(s) are added to your keyring.
Tip: You can also import a key by selecting File > Open and browsing to the
desired .asc file.
Add PGP Public Keys to Your Keyring
PGP Desktop stores your PGP keys on keyrings; you always have one private
keyring (.skr) file that holds private keys and one public keyring (.pkr) file that
holds public keys.
If you have a public keyring file (not your active public keyring file) on your
system that holds keys you would like to add to your active keyring, you can
add them from the Finder.
To add PGP public keys from a keyring file in the Finder
1 In the Finder, drag the PGP public keyring (.pkr) or PGP private keyring
(.skr) file and drop it onto your active keyring in the PGP DT window. The
Select Keys dialog box opens and displays the public keys on the selected
public keyring file.
2 Select the keys you want to add to your active keyring, then click OK. You
can use Select All or Select None and the Shift and Command keys to
select the desired keys. The Select Keys dialog disappears and the
selected keys are added to your active keyring.
Tip: In the Finder, double-click the PGP public keyring (.pkr) or PGP private
keyring (.skr) file. The new keyring will appear in PGP Desktop, below your
existing keyrings, as "PGP Public Keyring."
Extract the Contents of a PGP Zip Archive
If you have a PGP Zip archive on your system whose contents you want to
extract, you can do that in the Finder.
To extract the contents of a PGP Zip archive in the Finder
1 In the Finder, select the PGP Zip archive (.pgp) file whose contents you
want to extract.
40
PGP® Desktop for Mac OS X The PGP Desktop User Interface
2 Ctrl+click the .pgp file, or right-click if you are using a two-button mouse.
From the shortcut menu, choose Decrypt & Verify from the PGP menu.
The Enter PGP Passphrase dialog box is displayed.
3 Enter the passphrase that protects the PGP Zip archive from which you are
extracting files, then click OK. The file(s) are extracted from the archive to
the same location in the Finder as the archive.
4 If the archive was signed, the Verification Info dialog is displayed.
Viewing the PGP Log
Use the PGP Log to see what actions PGP Desktop is taking to secure your
data. For more information, see Viewing the PGP Log (on page 118).
41
6
Working with PGP Keys
PGP Keys is the feature of PGP Desktop you use to create and maintain your
keypair(s) and the public keys of other PGP Desktop users.
This section describes viewing keys, creating a keypair, distributing your public
key, getting the public keys of others, and working with keyservers.
Note: If you are using PGP Desktop in a PGP Universal Server-managed
environment, your PGP Universal Server administrator may have disabled
certain features. When a feature is disabled, the control item in the left side
is not displayed and the menu and other options for that feature are not
available. The graphics included in this guide depict the default installation
with all features enabled. If your PGP Universal Server administrator has
disabled this functionality, this section does not apply to you.
In This Chapter
Viewing Keys ........................................................................................... 44
Creating a Keypair.................................................................................... 46
Protecting Your Private Key..................................................................... 49
Distributing Your Public Key .................................................................... 51
Getting the Public Keys of Others........................................................... 54
Working with Keyservers ........................................................................ 56
Using Master Keys .................................................................................. 57
43
PGP® Desktop for Mac OS X Working with PGP Keys
Viewing Keys
To view all of the keys on the local keyring, open PGP Desktop and click the
Keys item.
You can also use the Smart Keyrings feature. A Smart Keyring is a set of keys
that fits the criteria you establish. For example, if you frequently send messages
to PGP Desktop users from a particular email domain, you could create a Smart
Keying that shows just the users from that email domain. The default Smart
Keyring is My Private Keys.
Some of the more common tasks you may want to perform are available from
the PGP Keys work area. These are:
Send an email to the owner of a public key. To do this, Ctrl+click (or
right-click) a public key in any view of the PGP Keys on your keyrings and
select Send Email.
If you perform a search, and you select a public key found in the search
that is not on your local keyrings, add the key to your keyring. To do this,
Ctrl+click (or right-click) the key and select Add to Default Keyring.
To see the properties of any key displayed in the work area, double-click
any part of the key listing to display the Key Info dialog box for that key.
44
PGP® Desktop for Mac OS X Working with PGP Keys
Creating a Smart Keyring
To create a Smart Keyring
1 Open PGP Desktop.
2 Click the Keys item.
3 Select File > New > Smart Keyring. The New Smart Keyring dialog box is
displayed.
4 In the Smart Keyring name field, enter a descriptive name for the Smart
Keyring you are creating.
5 In the Include keys which match the following conditions menu, select
either:
Any. Displays keys that match any of the specified criteria (logical
“OR”).
All. Only displays keys that match all of the specified criteria (logical
“AND”).
6 In the first matching column, select one of the following:
Key is. Displays keys that meet the criteria.
Key is not. Displays keys that do not meet the criteria.
Name. Displays keys with the specified criteria in the Name.
Email. Displays keys with the specified criteria in the Email address.
Key ID. Displays keys with the specified criteria in the Key ID.
Key Size. Displays keys of the specified Key Size.
Creation Date. Displays keys created on the specified Creation Date.
Expiration Date. Displays keys that expire on the specified Expiration
Date.
7 The options in the second matching column change based on what you
selected in the first matching column; select between:
Public. Matches on public keys only.
Private. Matches on private keys only.
Revoked. Matches on revoked keys only.
Enabled. Matches on enabled keys only.
Expired. Matches on expired keys only.
Signed by. Matches on keys signed by the specified person.
Contains. Matches when key contains specified criteria.
45
PGP® Desktop for Mac OS X Working with PGP Keys
Does not contain. Matches when key does not contain specified
criteria.
Is. Matches when specified criteria (name or date) is met.
Is not. Matches when specified criteria is not met.
Is at least. Matches when specified criteria is at least the key size
entered.
Is at most. Matches when specified criteria is no great than the key
size entered.
Is on or before. Matches when specified date is on or before the
listed date.
Is on or after. Matches when specified data is on or after the listed
date.
8 In the text box that is available for some matching items, you can enter text
(such as an email address or a domain; wildcards are allowed), numbers, or
dates.
9 To add extra rows for matching or excluding, click the plus sign icon. Click
the minus sign icon to remove rows.
10 Click Save. The Smart Keyring is displayed in the Items list.
When you select this Smart Keyring, only those keys that match these criteria
are listed. The following Smart Keyring, for example, matches the public keys of
PGP Desktop users at your company’s law firm.
Creating a Keypair
You probably already created a PGP keypair for yourself using the PGP Desktop
Setup Assistant or with a previous version of PGP Desktop — but if you have
not, you need to now. Most of the things you do with PGP Desktop require a
keypair.
Caution: It is bad practice to keep creating new keys for yourself. A PGP
keypair is like a digital driver’s license or passport; if you create lots of them,
you’re going to end up confusing yourself and those people who want to
send you encrypted messages. It is best to have only one key that contains
all the email addresses that you use. The PGP Global Directory will publish
only one key per email address.
If you are using PGP Desktop in a PGP Universal Server-managed environment,
keypair creation may be disabled.
To create a PGP keypair
1 Open PGP Desktop.
46
PGP® Desktop for Mac OS X Working with PGP Keys
2 From the File menu, select New > PGP Key. The Create a key to secure
your communications dialog box is displayed. Information on this dialog box
explains what a key pair is and how it is used.
3 To specify advanced properties for your new key, select the Expert Mode
check box. For more information on these settings, see Expert Mode Key
Settings (on page
48). Skip this step if you do not want to use Expert
Mode.
4 Click Continue. The Set your key’s contact information dialog box is
displayed.
5 Enter your real name in the Full Name field and your correct email address
in the Email Address field.
Note: It is not absolutely necessary to enter your real name or even your
email address. However, using your real name makes it easier for others
to identify you as the owner of your public key. Also, when you upload
your public key to the PGP Global Directory (which makes it easily
available to other PGP Desktop users), your real email address is required.
6 Click Continue. The Set your key’s passphrase dialog box is displayed.
7 Enter a passphrase for the key you are creating, then enter it again to
confirm it.
Normally, as an added level of security, the characters you enter for the
passphrase do not appear on the screen. However, if you are sure that no
one is watching, and you would like to see the characters of your
passphrase as you type, click Show Keystrokes.
Caution: Make sure that your passphrase is one that you can easily
remember (without writing it down). Unless your PGP administrator has
implemented a PGP key reconstruction policy for your company, no one,
including PGP Corporation, can salvage a key with a forgotten passphrase.
The Passphrase Quality bar provides a basic guideline for the strength of
the passphrase you are creating by comparing the amount of entropy in the
passphrase you type against a true 128-bit random string (the same
amount of entropy in an AES128 key). For more information, see The
Passphrase Quality Bar (on page
202).
8 To save this passphrase in the Mac OS X Keychain, select the check box.
9 Click Continue. The PGP Key creation summary dialog box is displayed.
10 If desired, do the following:
To show details about the key, select Show Details.
To make any changes to your key, click Go Back.
11 Click Create Key. PGP Desktop generates your new keypair. This process
can take several minutes.
12 When the key generation process indicates that it is complete, click Finish.
47
PGP® Desktop for Mac OS X Working with PGP Keys
Expert Mode Key Settings
1 When you select Expert Mode on the New PGP Key dialog box, in addition
to specifying your name and email address, you also specify:
Key Type. Choose between Diffie-Hellman/DSS and RSA.
Note: Beginning with PGP Desktop 9.0, the older RSA Legacy key format
from the early 1990s is no longer fully supported. You cannot create new
PGP keypairs using the RSA Legacy key format; however, existing RSA
Legacy keypairs continue to be supported in PGP Desktop.
Keyserver. Specify a trusted keyserver or <None>.
Allowed Compression. Deselect any compression type you do not
want the key you are creating to support.
Allowed Ciphers. Deselect any cipher you do not want the key you
are creating to support.
Allowed Hashes. Deselect any hash you do not want the keypair you
are creating to support.
Preferred Cipher. Select the cipher you want to be used in those
cases where no cipher is specified. Only a cipher that is allowed can
be selected as preferred.
Preferred Hash. Select the hash you want to be used in those cases
where no hash is specified. Only a hash that is allowed can be
selected as preferred.
Key size. Enter from 1024 bits to 4096 bits. The larger the key, the
more secure it is, but the longer it will take to generate.
Key Expires. Select Never or specify a date on which the key you are
creating will expire.
2 Click Continue. The Set Your Key’s Passphrase dialog box is displayed.
3 Enter the passphrase that you would like to use with this key, then type it
again in the Confirm your passphrase field. It is critical that you keep this
passphrase secret.
4 Click Continue.
5 Review the summary information, then click Create Key to begin the key
generation process. PGP Desktop generates your new keypair.
This process can take several minutes.
6 When the key generation process indicates that it is done, click Next. You
are prompted to add the public key portion of the key you just created to
the PGP Global Directory.
7 Read the text on the screen and click Next.
48
PGP® Desktop for Mac OS X Working with PGP Keys
8 Click Skip to prevent the public key from being posted to the PGP Global
Directory. The Completing the PGP Global Directory Assistant screen is
displayed.
9 Click Finish. Your new PGP keypair has been generated. It should be
visible in the PGP Keys Work area. If you don’t see it listed, make sure All
Keys or My Private Keys is selected in the PGP Keys item.
Protecting Your Private Key
PGP Corporation recommends that you take these actions immediately after
you create your keypair:
Caution: Failure to take these actions could result in a devastating loss of
data some time in the future.
Back up a copy of your private key file to another, safe location, in case
your primary copy is ever damaged or lost. See Backing up Your Private
Key (on page 50).
Reflect on your chosen passphrase to ensure that you chose something
that you will not forget. If you are concerned that you chose a passphrase
during the key creation process that you will not remember, change it
RIGHT NOW to something you will not forget. For information on changing
your passphrase, see Changing Your Passphrase (on page
Your private key file is very important because once you have encrypted data to
your public key; only the corresponding private key can be used to decrypt the
data. This holds true for your passphrase as well; losing your private key or the
passphrase means that you will not be able to decrypt data encrypted to the
corresponding public key. When you encrypt information, it is encrypted to both
your passphrase and your private key. You need both to decrypt the encrypted
data. Once the data is encrypted, no one—not even PGP Corporation—can
decrypt the data without your private key file and your passphrase.
Consider a situation where you have important encrypted data, and then either
forget your passphrase or lose your private key. The encrypted data would be
inaccessible, unusable, and unrecoverable.
Protecting Keys and Keyrings
Besides making backup copies of your keys, you should be especially careful
about where you store your private key. Even though your private key is
protected by a passphrase that only you should know, it is possible that
someone could discover your passphrase and then use your private key to
decipher your email or forge your digital signature. For instance, somebody
could look over your shoulder and watch the keystrokes you enter or intercept
them on the network or even over the Internet.
63, on page 63).
49
PGP® Desktop for Mac OS X Working with PGP Keys
To prevent anyone who might happen to intercept your passphrase from using
your private key, store your private key only on your own computer. If your
computer is attached to a network, make sure that your files are not
automatically included in a system-wide backup where others might gain access
to your private key. Given the ease with which computers are accessible over
networks, if you are working with extremely sensitive information, you may
want to keep your private key on a diskette, which you can insert like an
old-fashioned key whenever you want to read or sign private information.
As another security precaution, consider assigning a different name to your
private keyring file and then storing it somewhere other than in the default
location. Use the Keys tab of the Options dialog box to specify a name and
location for your private and public keyring files.
Your private and public keys are stored in separate keyring files. You can copy
them to another location on your hard drive or to a diskette. By default, the
private keyring (secring.skr) and the public keyring (pubring.pkr) are
stored along with the other program files in your “PGP” folder; you can save
your backups in any location you like.
Keys generated on a smart card cannot be backed up because the private
portion of your keypair is non-exportable. (Keys can be generated on a smart
card on Windows systems only.)
You can configure PGP Desktop to back up your keyrings automatically after
you close PGP Desktop. Your keyring backup options can be set in the Keys tab
of the Options dialog box (for Windows) and in the Keys section of the
Preferences dialog box (for Mac OS X).
Backing up Your Private Key
To back up your private key
1 In the Smart Keyrings item, click My Private Keys.
2 Select the icon representing your keypair.
3 From the File menu, select Export.
4 Type a name for the file in the Save As field and specify a location in the
Where field.
5 Select the Include Private Key(s) check box. This is important, because if
you do not do this, only your public key will be exported.
6 Click Save.
7 Copy the file to a secure location. This may be a CD which you carefully
archive, another personal computer, or a USB flash drive that you keep in a
safe location. Please remember not to distribute this file to others, as it
contains both your private key and your public key.
50
PGP® Desktop for Mac OS X Working with PGP Keys
Note: If you are in a PGP Universal Server-managed environment and your
key mode is SKM, you cannot export your key using this method. To export
your keypair, ask your PGP Universal Server administrator to export it from
the management console. To determine what your key mode is, see Key
Modes (on page 115).
What if You Lose Your Key?
If you lose your key and do not have a backup copy from which to restore your
key, you will never again be able to decrypt any information encrypted to your
key. You can, however, reconstruct your key if your PGP administrator has
implemented a key restoration policy for your company. For more information,
see PGP Key Reconstruction (see "
Server" on page
contact your PGP administrator.
80, "If You Lost Your Key or Passphrase" on page 80) and
Reconstructing Keys with PGP Universal
Distributing Your Public Key
After you create your PGP Desktop keypair, you need to get your public key to
those with whom you intend to exchange encrypted messages.
You make your public key available to others so they can send you encrypted
information and verify your digital signature; and you need their public key to
send encrypted messages to them.
You can distribute your public key in various ways:
Publish your key on the PGP Global Directory (see "Placing Your Public Key
on a Keyserver" on page
Generally none of the other methods are necessary once your key is
published to this directory.
Include your public key in an email message (see "Including Your Public Key
in an Email Message" on page
Export your public key or copy it to a text file (see "Exporting Your Public
Key to a File" on page
On Windows systems, you can also:
Copy from a Smart Card directly to someone's keyring.
52).
53).
53).
51
PGP® Desktop for Mac OS X Working with PGP Keys
Placing Your Public Key on a Keyserver
The best method for making your public key available is to place it on a public
keyserver, which is a large database of keys, where anyone can access it. That
way, people can send you encrypted email without having to explicitly request a
copy of your key. It also relieves you and others from having to maintain a large
number of public keys that you rarely use.
There are a number of keyservers worldwide, including the PGP Global
Directory, where you can make your key available for anyone to access. If you
are using PGP Desktop in a domain protected by a PGP Universal Server, your
PGP administrator will have preconfigured PGP Desktop with appropriate
settings.
When you’re working with a public keyserver, keep these things in mind before
you send your key:
Is this the key you intend to use? Others attempting to communicate with
you might encrypt important information to that key. For this reason, we
strongly recommend you only put keys on a keyserver that you intend for
others to use.
Will you remember your passphrase for this key so you can retrieve data
encrypted to it or, if you don’t want to use the key, so you can revoke it?
Other than the PGP Global Directory, once a key is up there, it’s up there.
Some public keyservers have a policy against deleting keys. Others have
replication features that replicate keys between keyservers, so even if you
are able to delete your key on one server, it could reappear later.
Most people post their public key to the PGP Global Directory right after they
create their keypair. If you have already posted your key to the PGP Global
Directory, you do not need to do it again. Under most circumstances, there is
no need to publish your key to any other keyserver. Note also that other
keyservers may not verify keys, and thus keys found on other keyservers may
require significantly more work on your part to contact the key owner for
fingerprint verification.
To manually send your public key to a keyserver
1 Open PGP Desktop.
2 Ctrl+click the keypair whose public key you want to send to the keyserver.
3 Select Send Key To Server, then select the keyserver you want to send
the public key to from the list. If the keyserver you want to send your
public key to is not on the list, see Working with Keyservers (on page 56).
Once you place a copy of your public key on a keyserver, it’s available to people
who want to send you encrypted data or to verify your digital signature. Even if
you don’t explicitly point people to your public key, they can get a copy by
searching the keyserver for your name or email address.
52
PGP® Desktop for Mac OS X Working with PGP Keys
Many people include the Web address for their public key at the end of their
email messages. In most cases, the recipient can just double-click the address
to access a copy of your key on the server. Some people even put their PGP
fingerprint on their business cards for easier verification.
Including Your Public Key in an Email Message
Another convenient method of delivering your public key to someone is to
include it with an email message.
When you send someone your public key, be sure to sign the email. That way,
the recipient can verify your signature and be sure no one has tampered with
the information along the way. Of course, if your key has not yet been signed
by any trusted introducers, recipients of your signature can only truly be sure
the signature is from you by verifying the fingerprint on your key.
To include your public key in an email message
1 Open PGP Desktop.
2 Open your email client, create a new message, and address it to the
person to whom you are sending your public key.
3 From PGP Desktop, drag and drop your keypair onto the body of the email
message.
4 Send the message.
If this method does not work for you, you can open PGP Desktop, select your
keypair, then select Edit > Copy. Open an email message, then paste the public
key into the body of the message. With some email applications you can simply
drag your key from PGP Desktop into the text of your email message to transfer
the public key information.
Exporting Your Public Key to a File
Another method of distributing your public key is to export it to a file and then
make this file available to the person with whom you want to communicate
securely.
There are three ways to export or save your public key to a file:
Select your keypair, then select File > Export. Enter a name and a location
for the file, then click Save. Be sure not to include your private key along
with your public key if you plan on giving this file to others.
Ctrl+click the key you want to save to a file, select Export from the list,
enter a name and a location for the file, then click Save. Be sure not to
include your private key along with your public key if you plan on giving this
file to others.
53
PGP® Desktop for Mac OS X Working with PGP Keys
Select your keypair, then select Edit > Copy. Open a text editor and select
Paste to insert the key information into the text file, and save the file. You
can then email or give the file to anyone you like. The recipient needs to
use PGP Desktop on his or her system to retrieve the public key portion.
Getting the Public Keys of Others
Just as you need to distribute your public key to those who want to send you
encrypted mail or verify your digital signature, you need to obtain the public
keys of others to send them encrypted mail or verify their digital signatures.
There are multiple ways to obtain someone’s public key:
Automatically retrieve the verified key from the PGP Global Directory
Find the key manually on a public keyserver
Automatically add the public key to your keyring directly from an email
message
Import the public key from an exported file
Get the key from your organization’s PGP Universal Server
Public keys are just blocks of text, so they are easy to add to your keyring by
importing them from a file or by copying them from an email message and then
pasting them into your public keyring in PGP Desktop.
Getting Public Keys from a Keyserver
If the person to whom you want to send encrypted mail is an experienced PGP
Desktop user, it is likely that a copy of his or her public key is on the PGP Global
Directory or another public keyserver. This makes it very convenient for you to
get a copy of the most up-to-date key whenever you want to send him or her
mail and also relieves you from having to store a lot of keys on your public
keyring.
There are a number of public keyservers, such as the PGP Global Directory
maintained by PGP Corporation, where you can locate the keys of most PGP
users. If the recipient has not pointed you to the Web address where his or her
public key is stored, you can access any keyserver and do a search for the
user’s name or email address. This may or may not work, as not all public
keyservers are regularly updated to include the keys stored on all the other
servers.
If you are in a domain protected by a PGP Universal Server, then your PGP
administrator may direct you to use the keyserver built into the PGP Universal
Server. In this case, your PGP Desktop software is probably already configured
to access the appropriate PGP Universal Server.
54
PGP® Desktop for Mac OS X Working with PGP Keys
Similarly, the PGP Universal Server is configured by default to communicate
with the PGP Global Directory. Thus, the PGP ecosystem distributes the load of
key lookup and verification.
To get someone’s public key from a keyserver
1 Open PGP Desktop.
2 Click the PGP Global Directory item or the item of another keyserver you
want to search. The Search for Keys screen is displayed in the Work area.
3 Specify your search criteria, then click Search.
If the keyserver you want to search is not shown, from the Keys
menu, select Add Keyserver, and configure it.
You can search for keys on a keyserver by specifying values for
multiple key characteristics. You can also search for exclusions, such
a using “User ID is not Charles” as your criteria.
The results of the search appear.
4 If the search found a public key you want to add to your keyring, Ctrl+click
it and select Add To Default Keying. The selected key is added to your
keyring.
Tip: If you set the search criteria to look for a very common name (for
example, 'Name', 'contains', "John"), only the first match found is returned.
This is by design, to prevent phishing (or harvesting keys from a keyserver).
For common names or domains, you may have to enter the entire name or
email address in order to find the correct key.
Getting Public Keys from Email Messages
A convenient way to get a copy of someone’s public key is to have that person
attach it to an email message.
To add a public key attached to an email message
1 Open the email message.
2 Double-click the .asc file that includes the public key. PGP Desktop
recognizes the file format and opens the Select key(s) dialog box.
3 If asked, specify to open the file.
4 Select the public key(s) you want to add to your keyring and click Import.
55
PGP® Desktop for Mac OS X Working with PGP Keys
Working with Keyservers
PGP Desktop understands the following kinds of keyservers:
PGP Universal keyservers. If you are using PGP Desktop in a domain
protected by a PGP Universal Server, PGP Desktop is pre-configured to
only communicate with the keyserver built into the PGP Universal Server
with which it has a relationship. To PGP Desktop, this is a trusted
keyserver, and PGP Desktop will automatically trust any key it finds on this
keyserver unless the PGP Universal Server tells PGP Desktop that the key
is not trusted—this can happen, for instance, when verifying signatures
from remote keys.
The PGP Global Directory. If you are using PGP Desktop outside of a
domain protected by a PGP Universal Server, PGP Desktop is
pre-configured to communicate with the PGP Global Directory.
The PGP Global Directory is a free, public keyserver hosted by PGP
Corporation. It provides quick and easy access to the universe of PGP keys.
It uses next-generation keyserver technology that verifies the key
associated with each email address (so that the keyserver doesn’t get
clogged with unused keys, multiple keys per email address, forged keys,
and other problems that plagued older keyservers) and it lets you manage
your own keys, including replacing your key, deleting your key, and adding
email addresses to your key. Using the PGP Global Directory significantly
enhances your chances of finding the public key of someone with whom
you want to send secured messages.
To PGP Desktop, the PGP Global Directory is a trusted keyserver, and PGP
Desktop will automatically trust any key it finds there. During the initial
connection to the PGP Global Directory, the PGP Global Directory
Verification Key is downloaded, signed, and trusted by the key you publish
to the directory. All of the keys verified by the PGP Global Directory are
thus considered valid by your PGP Desktop.
PGP Universal Services Protocol. The PGP Universal Services Protocol
(USP) is a SOAP protocol operating over standard HTTP/HTTPS ports. This
is the default key lookup mechanism. If you are in a PGP Universal
Server-managed environment, all key search requests as well as all other
communications between the the PGP Universal Server and PGP Desktop
use PGP USP.
Other keyservers. In most cases, other keyservers are other public
keyservers. However, you may have access, through your company or
some other means, to a private keyserver.
For more information about working with keyservers, see Keys Preferences (on
189).
page
56
PGP® Desktop for Mac OS X Working with PGP Keys
Using Master Keys
The Master Key List is a set of keys that you want added by default any time
you are selecting keys for messaging, disk encryption, and PGP Zip. This saves
you the step of dragging the keys that you regularly use into the Recipients
field.
To use the Master Key List, select the Use Master Key List checkbox. You
cannot add or remove keys from the Master Key List unless this box is
selected.
Note: If you generated your key using the Setup Assistant, your key is
automatically added to the Master Key list. If you skipped key generation and
imported your key into PGP Desktop, your key is not automatically added to
the list.
T
Adding Keys to the Master Key List
To add keys to the Master Key List
1 Open PGP Desktop.
2 Select PGP > Preferences.
3 Select the Master Keys icon.
4 Click the plus sign icon beneath the key list. The Select Master Keys dialog
box is displayed.
5 From the Name list on the left, select the key(s) that you want to use. Use
Shift+click or Cmd+click to select multiple keys.
57
PGP® Desktop for Mac OS X Working with PGP Keys
6 After selecting the keys you want, click OK. The keys you have selected
appear in the Master Key List.
Deleting Keys from the Master Key List
To remove keys from the Master Key List
1 Open PGP Desktop.
2 Select PGP > Preferences.
3 Select the Master Keys icon.
4 Select the key(s) that you want to remove. You can Shift+click or
Cmd+click to select multiple keys.
5 Click the minus sign icon beneath the key list. The key(s) are removed.
58
7
Managing PGP Keys
This section describes how to manage keys with the PGP Desktop application.
Note: If you are using PGP Desktop in a PGP Universal Server-managed
environment, your PGP Universal Server administrator may have disabled
certain features. When a feature is disabled, the control item in the left side
is not displayed and the menu and other options for that feature are not
available. The graphics included in this guide depict the default installation
with all features enabled. If your PGP Universal Server administrator has
disabled this functionality, this section does not apply to you.
In This Chapter
Examining and Setting Key Properties .................................................... 59
Adding and Removing Photographs ........................................................ 60
Managing User Names and Email Addresses on a Key .......................... 61
Importing Keys and X.509 Certificates .................................................... 62
Changing Your Passphrase...................................................................... 63
Deleting Keys, User IDs, and Signatures ................................................ 64
Disabling and Enabling Public Keys ......................................................... 65
Verifying a Public Key .............................................................................. 65
Signing a Public Key ................................................................................ 66
Granting Trust for Key Validations ........................................................... 68
Working with Subkeys............................................................................. 69
Working with ADKs ................................................................................. 74
Working with Revokers ........................................................................... 75
Splitting and Rejoining Keys .................................................................... 77
If You Lost Your Key or Passphrase ........................................................ 80
Protecting Your Keys ............................................................................... 83
Examining and Setting Key Properties
The Key Info dialog box displays everything there is to know about a key. The
PGP Keys Work Area can display these important details about your keys:
Name
59
PGP® Desktop for Mac OS X Managing PGP Keys
Email address
Validity
Size
KeyID
Trust
Creation date
Expiration date
ADK
Status
Key description
Key usage
Note: If you are in a PGP Universal Server-managed environment and your
key mode is SKM, you cannot make changes to your key. In addition, SKM
keys are set to never expire. To determine what your key mode is, see Key
Modes (on page 115).
To view a key’s properties
1 Open PGP Desktop, then click the Keys item. All keys on your keyring
appear.
2 Double-click the key with the properties you want to view. The Key
Properties dialog box for the key you selected is displayed.
Adding and Removing Photographs
You can include a photograph to your Diffie-Hellman/DSS and RSA keys.
Note: When you add or change key information, be sure to update it on the
keyserver so that your most current key is always available.
Caution: Although you can view for verification the photograph accompanied
with someone’s key, the digital fingerprint is the final word. Always check
and compare it.
To add your photograph to your key
1 Open PGP Desktop, then click My Private Keys.
2 Double-click the private key to which you are adding the photo. The Key
Info dialog box for the selected key is displayed.
60
PGP® Desktop for Mac OS X Managing PGP Keys
3 Click the plus sign icon under the current photo for the key. The Add Photo
dialog box is displayed.
4 Drag and drop, or paste, your photograph into the blank area of the Add
Photo dialog box.
Note: The photograph can be from the Clipboard, a JPG, or BMP file. For
maximum picture quality, crop the picture to 120 x 144 pixels before
adding it. If you do not do this, PGP Desktop scales it for you.
5 Click OK. The Enter PGP Passphrase dialog box is displayed, unless the
passphrase for the key you are modifying is cached.
6 Enter your passphrase for the key you are modifying, then click OK. Your
photo ID is added to your private key.
To view an enlargement of the photo
Click the magnifying glass icon under the existing photo. A window
displaying an enlarged version of the photo ID appears. To remove the
enlargement, click inside the window.
To delete a photo ID
1 Click the minus sign icon under the existing photo. A confirmation dialog
box is displayed.
2 Confirm that this is your choice. The photo is removed from the key.
To copy a photo ID
Right-click the existing photo on the Key Properties dialog box and select
Copy Photo ID. You can then paste the photo into another key or into a
graphics program.
Managing User Names and Email Addresses on a Key
PGP Desktop supports multiple user names and email addresses on your
keypair. These names and email addresses help others find your key so that
they can send you encrypted messages.
To add a new user name/address to your keypair
1 Open PGP Desktop, then double-click the appropriate key. The Key Info
dialog box for the key you double-clicked is displayed.
2 Click Add Email Address. The Add Name dialog box is displayed.
61
PGP® Desktop for Mac OS X Managing PGP Keys
3 Enter the new Full Name and Email Address in the appropriate fields,
then click OK. The Enter PGP Passphrase dialog box is displayed, unless
the passphrase for the key you are modifying is cached.
4 Enter the private key passphrase of the key you are modifying, then click
OK. The new name is added to the end of the user name list associated
with the key.
Note: When you add or change information in your keypair, always
synchronize it with your keyserver so that your most current key is always
available.
To delete a name/email address from your keypair
1 From the list of keys, click the plus sign to the left of the key name to
expand the key.
2 Select the user ID you want to delete.
3 Press the Delete key on your keyboard. A confirmation dialog box is
displayed.
Tip: You can also select Edit > Delete (on Windows systems) or Edit >
Clear (on Mac OS X systems).
4 Click Delete. The user ID is deleted.
Importing Keys and X.509 Certificates
You can import PGP public keys and PKCS-12 X.509 certificates (a digital
certificate format used by most Web browsers) to your PGP Desktop keyring,
as well as PKCS-7 public X.509 certificates. You can also import Privacy
Enhanced Mail (PEM) format X.509 certificates from your browser by copying
and pasting into your public keyring.
There are many ways to import someone’s PGP public key and add it to your
keyring. These methods include:
Double-clicking the file on your system. If PGP Desktop recognizes the file
format, it will open and ask if you want to import the key(s) in the file.
Choosing to import the key file in PGP Desktop.
Dragging the file containing the public key onto the PGP Keys window.
62
PGP® Desktop for Mac OS X Managing PGP Keys
Importing X.509 Certificates Included in S/MIME Email Messages
If an X.509 certificate is included in an S/MIME email message sent to you, you
can have PGP Desktop import the certificates to your key ring. The same
settings you have specified when public keys are found apply to these
certificates. If specified, PGP Desktop extracts and then imports the X.509
certificate to your keyring. If you want to encrypt email using imported
certificates, be sure to manually sign the certificate.
To import X.509 certificates, choose PGP > Preferences. and select the Keys
option. Then select Ask to save to my keyring or Save keys to my keyring.
Changing Your Passphrase
It’s a good practice to change your passphrase at regular intervals, perhaps
every three months. More importantly, you should change your passphrase the
moment you think it has been compromised, for example, by someone looking
over your shoulder at the keyboard as you typed it in.
To change the passphrase for a split key, you must rejoin it first.
Tip: Changing your passphrase on your key does not change the passphrase
on any copies of the key (such as backups you may have made). If you think
your key has been compromised, PGP Corporation recommends that you
shred any previous backup copies and then make new backups of your key.
If you are in a PGP Universal Server-managed environment and your key mode
is SKM, you cannot change the passphrase for your key. SKM keys are
protected by a randomly generated passphrase (that is itself protected) and you
are never prompted to enter a passphrase for an SKM key. To determine what
your key mode is, see Key Modes (on page
To change your private key passphrase
1 Open PGP Desktop, then double-click the appropriate key. The Key Info
dialog box for the key you double clicked is displayed.
2 Click Change Passphrase, then select Change Passphrase from the list of
commands displayed. The Enter PGP Passphrase dialog is displayed.
3 Enter the current passphrase for the private key, then click OK. The
Confirm PGP Passphrase dialog box is displayed.
4 Enter your new passphrase in the first text field.
5 Re-enter your passphrase in the Confirmation field.
115).
63
PGP® Desktop for Mac OS X Managing PGP Keys
The Passphrase Quality bar provides a basic guideline for the strength of
the passphrase you are creating by comparing the amount of entropy in the
passphrase you type against a true 128-bit random string (the same
amount of entropy in an AES128 key). For more information, see The
Passphrase Quality Bar (on page
6 Click OK. An information dialog box is displayed, informing you the
passphrase has been changed.
7 Click OK. The passphrase is changed.
Caution: If you are changing your passphrase because you feel that it has
been compromised, it is recommended that you shred all backup keyrings,
then make a backup copy of the key with the new passphrase.
202).
Deleting Keys, User IDs, and Signatures
PGP Desktop gives you control over the keys on your keyrings, as well as the
user IDs and signatures on those keys.
With public keys on your keyrings, you can delete entire keys, any user IDs on a
key, and any or all signatures on a key.
With your keypairs, you can delete entire keypairs or any or all signatures, as
well as delete user IDs from a keypair as long as that is not the only user ID on
the keypair.
Note, however, that you cannot delete a user ID on a key if it is the only user
ID, and you cannot delete self-signatures from keys.
To delete a key from your PGP keyring
1 Open PGP Desktop, then click the Keys item. All keys on your keyring
appear.
2 Do one of the following:
To delete a key, select the key, select Edit > Clear, then click OK on
the Confirmation dialog box. The key is deleted from your keyring.
To delete a user ID (from a public key) or signature, click the triangle
to the left of the key with the User ID or Signature that you want to
delete to display the user IDs and signatures. When you see the user
ID or signature you want to delete, click the User ID, select Edit >
Clear, then click OK on the Confirmation dialog box. The user ID or
signature is deleted.
Remember that you cannot delete a user ID from a keypair.
64
PGP® Desktop for Mac OS X Managing PGP Keys
Disabling and Enabling Public Keys
Sometimes you may want to temporarily disable a public key on your keyring,
which can be useful when you want to retain a public key for future use, but
you don’t want it cluttering up your recipient list every time you send mail.
You cannot disable your keypairs.
To disable a public key
1 Open PGP Desktop, then click the Keys item. All keys on your keyring
appear.
2 Double-click the public key you want to disable. The Key Info dialog box for
the key you selected is displayed.
3 Locate the Enabled field in the Key Properties.
If the current Enabled setting is Yes, the key is enabled. To disable
the key, click Yes once. The Enabled field changes to No; the key is
disabled.
If the current Enabled setting is No, the key is disabled. To enable the
key, click No once. The Enabled field changes to Yes and the key is
enabled.
A disabled key cannot be used to encrypt, sign, decrypt, or verify.
Tip: You can also synchronize keys on your keyring with the PGP Universal
Server. This option is used primarily to enable/disable public keys on your
keyring. To do this, right-click (or Ctrl+click) a key and choose Synchronize.
Verifying a Public Key
It is difficult to know for certain whether a public key belongs to a particular
individual unless that person physically hands the key to you on a removable
media or you get the key from the PGP Global Directory. Exchanging keys on
removable media is not usually practical, especially for users who are located
many miles apart.
So the question remains: how can I make sure the public key I got from a public
keyserver (not the PGP Global Directory) is really the public key of the person
listed on the key? The answer is: you have to check the key’s fingerprint.
65
PGP® Desktop for Mac OS X Managing PGP Keys
There are several ways to check a key’s fingerprint, but the safest is to call the
person and have them read the fingerprint to you over the phone. Unless the
person is the target of an attack, it is highly unlikely that someone would be
able to intercept this random call and imitate the person you expect to hear on
the other end. You can also compare the fingerprint on your copy of someone’s
public key to the fingerprint on their original key on a public server.
The fingerprint can be viewed in two ways: in a unique list of words or in its
hexadecimal format.
To check the digital fingerprint of a public key
1 Open PGP Desktop, then click the Keys item. All keys on your keyring
appear.
2 Double-click the public key with the fingerprint that you want to check. The
Key Info dialog box is displayed.
3 Locate the Digital Fingerprint in the second section of the Key Info dialog
box.
If necessary, click the triangle to face downward and display the fingerprint,
which is shown either in hexadecimal format (10 sets of four characters per
set) or word list format (four columns with five unique words per column).
4 Compare the fingerprint on the key with the original fingerprint. If the two
are the same, then you have the real key—otherwise, you likely do not.
The word list is made up of special authentication words that PGP Desktop
uses and are carefully selected to be phonetically distinct and easy to
understand without phonetic ambiguity. The word list serves a similar
purpose as the military alphabet, which allows pilots to convey information
distinctly over a noisy radio channel.
5 If you have a forged key, delete it.
6 Open your Web browser, navigate to the PGP Global Directory
(https://keyserver.pgp.com), and search for the real public key.
Signing a Public Key
When you create a keypair, the keys are automatically signed. Similarly, once
you are sure a key belongs to the correct person, you can sign that person’s
public key, indicating that you have verified the key. When you sign someone’s
public key, a signature icon along with your user name is shown attached to
that key.
If you import a keypair from a backup or from a different computer, that keypair
needs to be signed.
66
PGP® Desktop for Mac OS X Managing PGP Keys
Note: If you are using PGP Desktop in a PGP Universal Server-managed
environment, key signing may be disabled.
To sign a key
1 Open PGP Desktop, then click the Keys item. All keys on your keyring
appear.
2 Select the key you want to sign, then from the Keys menu, select Sign.
The Sign Key dialog box is displayed with the user name/email address and
hexadecimal fingerprint displayed in the text box.
Tip: You can also Ctrl+click the key (or right-click it if you have a
two-button mouse). When the shortcut menu is displayed, select Sign.
3 Under Sign With Key, click to display and select which of your keys you
want to sign with.
4 To allow your signature to be exported with this key, select Allow
signature to be exported.
An exportable signature is one that is allowed to be sent to servers and
travels with the key whenever it is exported. The checkbox indicates your
approval that your signature be exported.
5 In the Select Items to Sign box, verify that you are signing the right key.
6 If you want to configure additional options, such as such as signature type
and signature expiration, click Options.
7 Choose a Signature Type to sign the public key with. Your choices are:
Non-exportable. Use this signature when you believe the key is valid,
but you don’t want others to rely on your certification. This signature
type cannot be sent with the associated key to a keyserver or
exported in any way.
Exportable. Use exportable signatures in situations where your
signature is sent with the key to the keyserver, so that others can rely
on your signature and trust your keys as a result. This is equivalent to
checking the Allow signature to be exported checkbox on the Sign
Keys menu.
Meta-Introducer Non-Exportable. Certifies that this key, and any
keys signed by this key with a Trusted Introducer Validity Assertion,
are fully trusted introducers to you. This signature type is
non-exportable.
Trusted Introducer Exportable. Use this signature in situations
where you certify that this key is valid, and that the owner of the key
should be completely trusted to vouch for other keys. This signature
type is exportable. You can restrict the validation capabilities of the
trusted introducer to a particular email domain.
8 In the Expires field, select Never if you do not want this signature to
expire. Otherwise, select a date for it to expire.
67
PGP® Desktop for Mac OS X Managing PGP Keys
9 In the Advanced field, specify a maximum depth for trust and a domain
restriction:
The Maximum Depth option enables you to identify how many levels
deep you can nest trusted-introducers. For example, if you set this to
1, there can only be one layer of introducers below the
meta-introducer key.
If you want to limit the trusted introducer’s key validation capabilities
to a single domain, enter the domain name in the Domain Restriction
text box.
10 Click Sign. The Enter PGP Passphrase dialog box is displayed (if your
passphrase was not saved in the Keychain).
11 Type the passphrase of the signing key, if required. PGP Desktop does not
ask you to type your passphrase if it is cached.
12 Click OK. The key is signed.
Revoking Your Signature from a Public Key
You may, on occasion, want or need to revoke your signature from a key on
your keyring.
To revoke your signature
1 Open PGP Desktop, then click the Keys item. All keys on your keyring
appear.
2 Click the triangle to the left of the key from which you want to revoke your
signature. The signatures appear.
3 Click your signing key.
4 Select Edit > Revoke. A confirmation dialog box is displayed.
5 Verify that the Key ID and Name are the correct key (from which you want
to revoke your signature) and click OK. The PGP Enter PGP Passphrase for
Key dialog box is displayed.
6 Enter your passphrase and click OK. Your signature is revoked from the
key.
Granting Trust for Key Validations
Besides certifying that a key belongs to someone, you can assign a level of
trust to the owner of the keys indicating how well you trust them to act as an
introducer for others, whose keys you may get in the future.
68
PGP® Desktop for Mac OS X Managing PGP Keys
This means that if you ever get a key from someone that has been signed by an
individual whom you have designated as trustworthy, the key is considered
valid even though you have not done the check yourself.
You must sign a key before you can set a trust level for it.
Public keys can be None, Marginal, or Trusted. Your keypairs can be None or
Implicit (meaning it is your own key and thus you trust it completely). You
shouldn’t have anyone else’s keypairs.
For more information about trusting keys, see An Introduction to Cryptography.
Note: If you are using PGP Desktop in a PGP Universal Server-managed
environment, the ability to grant trust to keys may be disabled.
To grant trust to a key
To grant trust to a key
1 Open PGP Desktop, then click the Keys item. All keys on your keyring
appear.
2 Double-click the key for which you are granting trust. The Key Info dialog
box is displayed.
3 In the General Information section, click the current Trust field setting. A
menu of trust settings is displayed.
4 Select the desired setting.
Note: Selecting a Trust setting of None or Marginal is not intended to
indicate that an owner of a key is untrustworthy or dishonest. It means that
you do not have enough information to be sure that a key’s owner or source
is genuine.
Working with Subkeys
A PGP Desktop keypair consists of these elements:
the Master Key, for signing only;
one mandatory Subkey for encryption;
one or more optional Separate Subkey(s) for signing, encryption, or
signing/encryption.
The Master Key is used by default for signing, while a subkey is always used for
encryption. This can improve the security of a PGP Desktop keypair, as a
separate encryption subkey can be revoked, removed, or added to the PGP
Desktop keypair without affecting the Master Key or the signatures on it.
69
PGP® Desktop for Mac OS X Managing PGP Keys
In addition to the Master Key and the mandatory encryption subkey, you have
the option of creating one or more additional subkeys for your PGP Desktop
keypair. You can create any combination of subkeys that can be used for
encryption only, for signing only, or for both encryption and signing.
You can view the subkeys of a keypair from the Key Properties dialog box. The
Usage column indicates the function that a subkey performs:
Key
Description
Encryption subkeys display a blue padlock symbol.
Signing subkeys display a blue pen symbol.
Subkeys used for both encryption and signing
display both symbols.
The default encryption subkey displays a small
green checkmark in the upper left corner.
The default signing subkey displays a small green
70
PGP® Desktop for Mac OS X Managing PGP Keys
Key Description
check mark in the upper left corner.
Using Separate Subkeys
Here are some examples of how additional separate subkeys can be useful:
Multiple encryption subkeys that are valid during different portions of the
keypair’s lifetime can increase security. You can create encryption subkeys
that have the Start and Expiration dates set so that only one encryption
subkey at a time is valid. For example, you could create several encryption
subkeys that are valid only during one future year (make sure you specify
correct dates). The Encryption Subkey in use then changes with the new
year. This can be a useful security measure, as it provides an automatic
way to switch to a new encryption key periodically without having to
recreate and distribute a new public key. Expired subkeys display a key
icon with a red clock.
Viewing Subkeys
Separate signing subkeys are needed in regions where separate subkeys
for signing are required for legally-binding digital signatures.
The separate subkeys that you can create depend on the type of keypair that
you are working with:
For RSA keypairs, you can create subkeys for encryption, signing, and
encryption/signing.
For Diffie-Hellman/DSS keypairs, you can create subkeys for encryption or
signing, but you cannot create subkeys that both encrypt and sign.
For older PGP Legacy keypairs, subkeys are not supported.
You can view and change the subkey information on your keypairs. However,
you can only view subkey information on the public keys on your keyring.
To see what subkeys are on a key
1 Open PGP Desktop, then click the Keys item. All keys on your keyring
appear.
2 Double-click the key with the properties you want to view. The Key
Properties dialog box for the key you selected is displayed.
3 Click the triangle to the left of Subkeys. The Subkeys information for this
key is displayed.
71
PGP® Desktop for Mac OS X Managing PGP Keys
Creating New Subkeys
Most likely you will create new subkeys in the manner described in this section.
However, you can also create subkeys when you first install PGP Desktop and
are using the New Key wizard. For more information, see Using PGP Desktop
for the First Time (on page
To create new subkeys for a keypair
1 In the Subkeys section of the Key Properties dialog box, click the plus sign
icon. The New Subkey dialog box is displayed.
2 In the Use this subkey for area, select Encryption, Signing, or
Encryption and Signing, depending on how you want to use the new
subkey.
3 In the Key Size field, type a key size from 1024 to 4096 bits.
4 In the Start Date field, enter a date on which the subkey you are creating
becomes effective.
13).
5 In the Expiration Date field, select Never, or specify a date. This
information controls when the subkey expires.
Note: To avoid confusion when maintaining more than one subkey on
your keypair, try not to overlap the start and expiration dates of your
subkeys.
6 Click Create. The Passphrase dialog box is displayed.
7 Enter your passphrase and then click OK. The subkey is created.
Note: When you add or change information in your keypair, update it on the
keyserver so that your most current key is always available. With the key
selected in the Keys list, from the Keys menu, select Update Selection.
Specifying Key Usage for Subkeys
Each subkey can have its own key usage properties. For example, one subkey
could be used for PGP WDE only, and another could be used for all other PGP
Desktop functions.
An example of why you would want to set the key usage of a key is when you
want to use a key for disk encryption only but you do not want to receive
encrypted email. If you distribute your public key that does not allow for PGP
Messaging, then email sent by another user would not be encrypted to your
public key.
72
PGP® Desktop for Mac OS X Managing PGP Keys
Note: If you are in a PGP Universal Server-managed environment and your
key mode is SKM, you cannot make changes to the key usage flags. To
determine what your key mode is, see Key Modes (on page 115).
To specify key usage
1 Open PGP Desktop, then click the Keys item. All keys on your keyring
appear.
Double-click the key with the properties you want to view. The Key
Properties dialog box for the key you selected is displayed.
2 Click the Subkeys heading in the Key Properties dialog box. The Subkeys
for this key are displayed.
3 Double-click the subkey you want to change.
4 Click the arrow next to Subkey Usage Edit. The usage properties for the
key are displayed.
5 In the list displayed, select the PGP Desktop functions for which this key
can be used. A check next to the item indicates the key can be used for
that function.
6 Click Close to save the subkey properties.
7 Click Close again to save the key properties.
Revoking Subkeys
To revoke a subkey
1 In the Subkeys section of the Key Properties dialog box, select the subkey
2 Click Revoke (backslash-circle icon above the subkey list). A confirmation
3 Click OK to revoke the subkey. The Passphrase dialog box is displayed.
4 Type your passphrase, then click OK. The subkey is revoked and the icon
Removing Subkeys
To remove a subkey
you want to revoke.
dialog box is displayed.
changes to a key with a red circle/slash.
1 In the Subkeys section of the Key Properties dialog box, select the subkey
you want to remove.
73
PGP® Desktop for Mac OS X Managing PGP Keys
2 Click Remove (a minus sign icon above the subkey list). A confirmation
dialog box is displayed.
3 Click OK to remove the subkey. The subkey is removed.
Working with ADKs
An additional decryption key (ADK) is a key generally used by security officers of
an organization to decrypt messages that have been sent to or from employees
within the organization.
Messages encrypted by a key with an ADK are encrypted to the public key of
the recipient and to the ADK, which means the holder of the ADK can also
decrypt the message.
ADKs are rarely used or needed outside of a PGP Universal Server-managed
environment. Although your PGP administrator should not ordinarily need to use
the additional decryption keys, there may be circumstances when it is
necessary to recover someone’s email. For example, if someone is injured and
out of work for some time, or if email records are subpoenaed by a law
enforcement agency and the corporation must decrypt mail as evidence for a
court case.
You can only modify ADKs on your keypairs.
Adding an ADK to a Keypair
To add an ADK to a keypair
1 Open PGP Desktop, then click the Keys item. All keys on your keyring
appear.
2 Double-click the keypair to which you are adding the ADK. The Key Info
dialog box for the key you double-clicked is displayed.
3 If necessary, click the triangle icon, on the left side of the Additional
Decryption Keys section, so that it is pointing downward. The ADK
information for this key is displayed, if it has been configured.
4 Click the plus sign icon on the right side of the Additional Decryption
Keys section.
5 From the list displayed, select the key you want to use as the ADK.
6 Click OK. The PGP Enter PGP Passphrase for Key dialog box is displayed.
7 Enter the passphrase for the key to which you are adding the ADK, then
click OK. The ADK is added.
74
PGP® Desktop for Mac OS X Managing PGP Keys
Updating an ADK
To update an ADK
1 Select the ADK you want to update from the list of ADKs. The selected
ADK highlights.
2 Click the down arrow icon. The ADK is updated.
Removing an ADK
To remove an ADK
1 Select the ADK you want to remove from the list of ADKs. The selected
ADK highlights.
2 Click the minus sign icon. A PGP Warning dialog box is displayed, asking if
you are sure you want to remove the ADK.
3 Click OK to remove the ADK. The ADK is removed.
Working with Revokers
It is possible that one day you might forget your passphrase or lose your keypair
(your laptop is stolen or your hard drive crashes, for example).
Unless you are also using Key Reconstruction and can reconstruct your private
key, you would be unable to use your key again, and you would have no way of
revoking it to show others not to encrypt to it. To safeguard against this
possibility, you can appoint a third-party key revoker. The third-party you
designate is then able to revoke your key just as if you had revoked it yourself.
This feature is available for both Diffie-Hellman/DSS and RSA keys.
You can only change revoker information on your keypairs. If a public key on
your keyring has a revoker, you can see that information but you cannot change
it.
75
PGP® Desktop for Mac OS X Managing PGP Keys
Appointing a Designated Revoker
To add a designated revoker to your key
1 Open PGP Desktop, then select My Private Keys, under the Keys item. All
of the keys on your keyring appear.
2 Double-click the key to which you are adding a revoker. The Key Info dialog
box for the key you selected is displayed.
3 Click the plus sign icon on the right side of the Revokers section. The
Select key(s) dialog box is displayed.
4 Select the key you want to use as the revoker key, then click OK. A PGP
Warning dialog box is displayed, asking if you are certain that you want to
grant revoker privileges to the selected key(s).
5 Click Yes to continue or No to cancel. The Enter PGP Passphrase for Key
dialog box is displayed.
6 Enter the passphrase for the keypair to which you are adding the revoker,
then click OK. A PGP Information dialog box is displayed.
Revoking a Key
7 Click OK. The selected key(s) is now authorized to revoke your key. For
effective key management, distribute a current copy of your key to the
revoker(s) or upload your key to the keyserver.
If the situation ever arises that you no longer trust your personal keypair, you
can revoke your key, which tells everyone to stop using your public key.
The best way to circulate a revoked key is to place it on a public keyserver.
To revoke a key
1 Open PGP Desktop, then select My Private Keys under the Keys item. All
of the keys on your keyring appear.
2 Ctrl+click the key you want to revoke (or right-click if you are using a
two-button mouse).
3 In the shortcut menu, select Revoke. A Confirm Revocation dialog box is
displayed, asking if you are sure you want to revoke this key.
4 Click OK to confirm your intent to revoke the selected key or Cancel to
cancel.
5 Enter the passphrase for the keypair you are revoking, then click OK. When
you revoke a key, it is marked out with a red X to indicate that it is no
longer valid.
76
PGP® Desktop for Mac OS X Managing PGP Keys
6 Synchronize the revoked key so everyone will know not to use the now
revoked public key.
Splitting and Rejoining Keys
Any private key can be split into shares among multiple “shareholders” using a
cryptographic process known as Blakely-Shamir key splitting. This technique is
recommended for extremely high security keys.
For example, PGP Corporation keeps a corporate key split between multiple
individuals. Whenever we need to sign with that key, the shares of the key are
rejoined temporarily.
Creating a Split Key
When you split a key, the shares are saved as files either encrypted to the
public key of a shareholder or encrypted conventionally if the shareholder has
no public key. After the key has been split, any attempts to sign or decrypt with
it will automatically attempt to rejoin the key.
To create a split key
1 Open PGP Desktop, then click the PGP Keys item. All of the keys on your
keyring appear.
2 Select the keypair you want to split. The selected keypair highlights.
3 Select Keys > Share Key > Make Shared. The Split Key dialog box is
displayed.
4 Add shareholders for the split key by dragging and dropping their keys in
the Key/User Name list.
5 To add a shareholder who does not have a public key, that person must be
physically present to enter their own passphrase. Click Add.
Allow the shareholder to type in their passphrase twice, then click OK.
Unnamed User is displayed in the list.
Double-click Unnamed User and enter a descriptive name for the
person or organization holding the shares.
6 To specify a location for the split shares, click Browse in the Share File
Destination Folder, then select the desired location.
7 When all of the shareholders are listed, you can specify the number of key
shares that are necessary to decrypt or sign with this key.
By default, each shareholder is responsible for one share. To increase the
number of shares a shareholder possesses, double-click the number in the
Shares column and enter the number of shares they control.
77
PGP® Desktop for Mac OS X Managing PGP Keys
8 Click Split Key. The Confirm Key Split dialog box is displayed.
9 Click OK to continue splitting the key. The Passphrase screen is displayed.
10 Enter the passphrase for the key being split, then click OK. A minimum of
six characters is required for this passphrase. A confirmation dialog box
opens.
The key is split and the shares are saved in the location you specified. Each
key share is saved with the shareholder’s name as the file name and a
.shf extension.
11 Distribute the key shares to the owners, then delete the local copies of the
shares.
Be sure you keep the original key that was split. You will need to have this key
before you can rejoin the split key for any decryption functions.
Rejoining Split Keys
Once a key is split among multiple shareholders, attempting to sign or decrypt
with it causes PGP Desktop to attempt to rejoin the key automatically. There
are two ways to rejoin the key: locally and remotely.
Rejoining key shares locally requires the shareholder’s presence at the rejoining
computer. Each shareholder is required to enter the passphrase for their key
share.
Rejoining key shares remotely requires the remote shareholders to authenticate
and decrypt their keys before sending them over the network. The PGP
Desktop Transport Layer Security (TLS) feature provides a secure link to
transmit key shares, allowing multiple individuals in distant locations to securely
sign or decrypt with their key share.
Caution: Before receiving key shares over the network, you should verify
each shareholder’s fingerprint and sign their public key to ensure that their
authenticating key is legitimate.
Before you begin, be sure you have the original key that was split on the
rejoining computer.
To rejoin a split key
1 Contact each shareholder of the split key. To rejoin key shares locally, the
shareholders of the key must be present.
To collect key shares over the network, make sure the remote
shareholders have PGP Desktop installed and are prepared to send their
key share file. Remote shareholders must have:
Their key share files and passwords.
A keypair (for authentication to the computer that is collecting the key
shares).
78
PGP® Desktop for Mac OS X Managing PGP Keys
A network connection.
The IP address or Fully Qualified Domain Name of the computer that
is collecting the key shares.
2 At the rejoining computer, use the Finder to select the file(s) that you want
to sign or decrypt with the split key.
3 Ctrl+click the file(s) and select Sign or Decrypt from the PGP shortcut
menu. The Enter PGP Passphrase for Selected Key screen is displayed
with the split key selected.
4 Click OK to reconstitute the selected key. The Key Share Collection screen
is displayed.
5 Do one of the following:
If you are collecting the key shares locally, click Select Share File and
then locate the share files associated with the split key. The share
files can be collected from the hard drive, a removable drive, or a
mounted drive. Continue with the next step.
If you are collecting key shares over the network, click Start
Network.
The Passphrase dialog box opens. In the Signing Key field, select the
keypair that you want to use for authentication to the remote system
and enter the passphrase. Click OK to prepare the computer to receive
the key shares.
The status of the transaction is displayed in the Network Shares box.
When the status changes to Listening, the PGP application is ready to
receive the key shares.
At this time, the shareholders must send their key shares.
When a share is received, the Remote Authentication screen is
displayed. If you have not signed the key that is being used to
authenticate the remote system, the key will be considered invalid.
Although you can rejoin the split key with an invalid authenticating key,
it is not recommended. You should verify each shareholder’s fingerprint
and sign each shareholder’s public key to ensure that the authenticating
key is legitimate.
6 Click Confirm to accept the share file.
7 Continue collecting key shares until the value for Total Shares Collected
matches the value for Total Shares Needed on the Key Shares Collection
screen.
8 Click OK. The file is signed or decrypted with the split key.
79
PGP® Desktop for Mac OS X Managing PGP Keys
If You Lost Your Key or Passphrase
If you lost your key, you can reconstruct your key so you can continue to
encrypt and decrypt data. How you do this depends on if you are using PGP
Desktop in a standalone environment or in a PGP Universal Server-managed
environment.
If you forgot your passphrase, you can reset your passphrase. To do this, you
answer correctly three of the five security questions you answered when you
set up your key or created your security questions.
Reconstructing Keys with PGP Universal Server
This section applies only to PGP Desktop users in a PGP Universal
Server-managed environment whose PGP administrator has configured
key reconstruction support for their copy of PGP Desktop.
If you lose your key or forget your passphrase and do not have a backed up
copy from which to restore your key, you will never again be able to decrypt any
information encrypted to your key. You can, however, reconstruct your key if
your PGP administrator has implemented a PGP key reconstruction policy for
you, in which your key is encrypted and stored on a PGP Universal Server in
such a way that only you can retrieve it.
The PGP Universal Server holding the key reconstruction data stores your key in
such a way that only you can access it. Not even the PGP administrator has the
ability to decrypt your key.
If your PGP administrator has configured support for key reconstruction, you will
be prompted to enter additional “secret” information when you install PGP
Desktop or when you create your security questions.
Once your key is on the server, you can restore it at anytime by selecting Keys
> I Lost My Key or Keys > I Forgot My Passphrase in PGP Desktop for
Windows, or Keys > Reconstruct in PGP Desktop for Mac OS X.
Tip: If you were not prompted to create your PGP questions during
installation of PGP Desktop, and your PGP Universal Server administrator
allows local key reconstruction, you can manually create your questions. For
more information, see Creating Your Security Questions (on page 81).
Creating Key Reconstruction Data
When you answer the PGP security questions, you are creating the key
reconstruction data. In a standalone environment, this information is stored on
your local disk in a .krb file. In a managed environment, you send the key
reconstruction data to your company's PGP Universal Server whenever you
install PGP Desktop or when you reset your key.
80
PGP® Desktop for Mac OS X Managing PGP Keys
Choose obscure personal questions with answers that you are not likely to
forget. Your questions can be up to 95 characters in length. An example of a
good question might be, “Who took me to the beach?” or “Why did Fred
leave?” An example of a bad question would be, “What is my mother’s maiden
name?” or “Where did I go to high school?”
When you have created and answered all five PGP questions, your private key
is split into five pieces, using Blakely-Shamir key splitting. Three of the five
pieces are needed to reconstruct the key. Each piece is then encrypted with the
hash, the uniquely identifying number, of one answer. If you know any three
answers, you can successfully reconstruct the whole key.
Creating Your Security Questions
Before you can reconstruct your key or create a new passphrase when you've
forgotten it, you must create your security questions. You can customize the
five security questions so that the answers are something that only you would
know.
To create your security questions
1 In PGP Desktop, click the Keys item and then select your key.
2 Select Keys > Create My PGP Questions. The PGP Security Question
Assistant is displayed.
3 When the Key Reconstruction screen dialog box is displayed, type five
questions that only you can answer in the Question fields (the default
questions are examples only).
4 In the first Create Security Question screen, click the arrow for the first
field to select the question you want to use. Note that you can customize
parts of the question in the next step.
81
PGP® Desktop for Mac OS X Managing PGP Keys
If you want to completely customize the question to create your own
question, select Enter my own question.
5 For Personalize Your Question, click the arrows next to any of the text
that you can customize. For example, if you selected the first question, you
can customize that question by changing "friend" to "boy" and "had a crush
on" to "held hands with."
If you chose to create your own question, enter the question in this field.
Be sure to enter a question that only you can know the answer to.
6 For Answer Your Question, enter the answer to this security question.
You can enter the answer using mixed upper- and lowercase letters, or use
all one case (when you answer the question, the case will not matter).
A hint is displayed in this field that disappears once you start entering the
answer. For example, to answer the question "Who was the first boy that I
ever held hands with?", the hint is "Enter first and last name".
7 When you have defined your question and entered the answer, click Next
to continue. The Create Security Question 2 of 5 dialog box is displayed.
8 You are prompted to create and answer a total of five security questions.
Continue to follow the steps above to select the question, customize the
question, and answer the question.
9 When you have entered all five questions and answers, the Enter PGP
Passphrase dialog box is displayed.
10 Enter the passphrase for your key and click OK.
11 You are then prompted to save the key reconstruction file. Enter the name
and location where you want to save the file and click Save.
12 Click Finish to exit the assistant.
You have now defined the five security questions. If you lost your key or forget
your passphrase, you can reconstruct your key or reset your passphrase by
answering three of these five questions.
Reconstructing Your Key if You Lost Your Key or Passphrase
If you have lost your key or have forgotten your passphrase, you can recover by
reconstructing your key. You must first have created a set of security questions
that only you can answer. For more information, see Creating Your Security
Questions (on page 81).
To reconstruct your key
1 In PGP Desktop, click the Keys item and then select your key.
2 Select Keys > Reconstruct.
If you are managed by a PGP Universal Server, the PGP Passphrase
Assistant: Answer Security Questions dialog box is displayed.
82
PGP® Desktop for Mac OS X Managing PGP Keys
If you are in a standalone environment, the Select Key Reconstruction
File dialog box is displayed. Select the .krb file that you saved when
you created your security questions and click Open.
The Key Reconstruction dialog box is displayed.
3 Answer three of the five security questions correctly and click Continue.
The Confirm PGP Passphrase dialog box is displayed.
4 Enter and re-enter your new passphrase.
Select Show Keystrokes if you want to see the characters you type for
your passphrase. Be sure no one can see what you type.
The Passphrase Quality bar provides a basic guideline for the strength of
the passphrase you are creating by comparing the amount of entropy in the
passphrase you type against a true 128-bit random string (the same
amount of entropy in an AES128 key). For more information, see The
Passphrase Quality Bar (on page 202).
5 Click OK. Your key has been reconstructed.
Protecting Your Keys
Besides making backup copies of your keys, you should be especially careful
about where you store your private key. Even though your private key is
protected by a passphrase that only you should know, it is possible that
someone could discover your passphrase and then use your private key to
decipher your email or forge your digital signature. For instance, somebody
could look over your shoulder and watch the keystrokes you enter or intercept
them on the network or even over the Internet.
83
PGP® Desktop for Mac OS X Managing PGP Keys
To prevent anyone who might happen to intercept your passphrase from using
your private key, store your private key only on your own computer. If your
computer is attached to a network, make sure that your files are not
automatically included in a system-wide backup where others might gain access
to your private key. Given the ease with which computers are accessible over
networks, if you are working with extremely sensitive information, you may
want to keep your private key on a flash drive, which you can insert like an
old-fashioned key whenever you want to read or sign private information.
As another security precaution, consider assigning a different name to your
private keyring file and then storing it somewhere other than in the default
location.
Your private and public keys are stored in separate keyring files. You can copy
them to another location on your hard drive or to a diskette. By default, the
private keyring (secring.skr) and the public keyring (pubring.pkr) are
stored along with the other program files in your “PGP” folder; you can save
your backups in any location you like.
You can configure PGP Desktop to back up your keyrings automatically after
you close PGP Desktop. Your keyring backup options can be set in the Keys tab
of the Options dialog box (for Windows systems) or the Preferences dialog box
(for Mac OS X systems).
Tip: If you have changed your passphrase on your key, remember that it does
not change the passphrase on any copies of the key (such as backups you
may have made). If you think your key has been compromised, PGP
Corporation recommends that you shred any previous backup copies and
then make new backups of your key.
84
8
Securing Email Messages
This section describes how to use PGP Desktop Email to automatically and
transparently secure your email messages.
Note: If you are using PGP Desktop in a PGP Universal Server-managed
environment, your PGP Universal Server administrator may have disabled
certain features. When a feature is disabled, the control item in the left side
is not displayed and the menu and other options for that feature are not
available. The graphics included in this guide depict the default installation
with all features enabled. If your PGP Universal Server administrator has
disabled this functionality, this section does not apply to you.
In This Chapter
How PGP Desktop Secures Email Messages ......................................... 85
Using Offline Policy ................................................................................. 89
Services and Policies ............................................................................... 90
Creating a New Security Policy ............................................................... 98
Working with the Security Policy List.................................................... 108
PGP Desktop and SSL ........................................................................... 113
Key Modes............................................................................................. 115
Viewing the PGP Log............................................................................. 118
Using PGP Scripts with Entourage 2008 ............................................... 119
How PGP Desktop Secures Email Messages
When secure email messaging is enabled, PGP Desktop monitors the email
traffic between your email client and your mail server. Depending on the
circumstances, PGP Desktop will intercede on your behalf to encrypt, sign,
decrypt, or verify messages.
Once configured correctly—and it’s very likely PGP Desktop can do that for you
automatically—you don’t have to do anything to encrypt and/or sign outgoing
messages or to decrypt and/or verify incoming messages; the PGP Desktop
messaging proxy does it for you.
How this happens is different for incoming and outgoing messages.
85
PGP® Desktop for Mac OS X Securing Email Messages
For incoming messages, PGP Desktop automatically evaluates all incoming
email messages and takes the appropriate actions (described in the following
section).
For outgoing messages, there are a range of actions that PGP Desktop can take
on your behalf based on configured policies. A policy is a set of instructions
(such as "In this circumstance, do this") that tells PGP Desktop what to do in
specific situations. By combining these instructions, policies can be tailored to
meet all of your email security requirements. PGP Desktop comes
pre-configured with a set of policies that suit the needs of the vast majority of
users. However, you are also provided with fine-grained control over these
policies if you want to change them.
By default, when you are using PGP Desktop standalone and are sending an
outgoing message, PGP Desktop looks for a key it can trust to encrypt the
message. It looks first on the default keyring (called "All Keys" on Windows
systems) or the local keyring (called "Keys" on Mac OS X systems) for the public
key of the recipient. If it does not find such a key, it will, again by default, check
the PGP Global Directory for a trusted key for the recipient. If it does not find a
trusted key there, the message is sent in the clear, which is unencrypted. This
default behavior, called Opportunistic Encryption, strikes a balance between
protecting outgoing messages and making sure they get sent.
Creating new policies is covered in detail in Creating a New Security Policy (on
page
If you are in a PGP Universal-protected domain, your local PGP Desktop policies
determine how your messages are encrypted and when. For more information,
consult with your organization’s PGP Universal Server administrator.
Incoming Messages
PGP Desktop manages incoming mail messages based on the content of the
message. These scenarios assume standalone PGP Desktop, not in a
domain protected by a PGP Universal server (in which case mail action
policies set by your PGP Universal Server administrator can apply):
Message not encrypted nor signed. PGP Desktop does nothing to the
Message encrypted, but not signed. When PGP Desktop sees a
98).
content of these messages; it simply passes the message along to your
email client.
message coming to you that is encrypted, it will attempt to decrypt it for
you. To do this, PGP Desktop will check the local keyring for the private key
that can decrypt the message. If the private key is not on the local keyring,
PGP Desktop will not be able to decrypt it; the message will be passed to
your email client still encrypted. If the private key is on the local keyring,
PGP Desktop will decrypt it immediately if the passphrase for the private
key is in memory (cached). If the passphrase is not cached, PGP Desktop
will prompt you for the passphrase and decrypt the message when you
supply the correct passphrase. Once a message is decrypted, PGP
Desktop passes it to your email client.
86
PGP® Desktop for Mac OS X Securing Email Messages
If the PGP Desktop messaging proxy is turned off, PGP Desktop will not be
able to decrypt incoming encrypted messages; it will pass them along to
your email client still encrypted. It is recommended that you leave your
messaging proxy on all the time if you expect to be sending and receiving
encrypted messages. On is the default setting.
Message signed, but not encrypted. PGP Desktop will search the local
keyring for a public key that can be used to verify the signature. If PGP
Desktop cannot find the appropriate public key on the local keyring, it will
try to search for a keyserver at keys.domain (where domain is the domain
of the sender of the message), then the PGP Global Directory
https://keyserver.pgp.com), and finally any other configured keyservers. If
(
PGP Desktop finds the right public key at any of these locations, it verifies
the signature (or not, if the signature is bad) and passes the message to
your email client annotated with information about the
signature—information is also put into the PGP Log. If PGP Desktop cannot
find the appropriate public key, it passes the message to your email client
unverified.
Message encrypted and signed. PGP Desktop goes through both of the
processes described above: first finding the private key to decrypt the
message and then finding the public key to verify the signature. However,
if a message cannot be decrypted, then it cannot be verified.
If PGP Desktop is unable to either decrypt or verify a message, you might want
to consider contacting the sender of the message. If the message could not be
decrypted, make sure the sender was using your real public key. If the message
could not be verified, ask the sender to publish their key on the PGP Global
Directory — older PGP versions or other OpenPGP products can access the
web version of this directory at PGP Global Directory
https://keyserver.pgp.com) , or ask them to send their public key to you directly
(
by email.
Note: PGP Desktop only encrypts by default to keys that are known to be
valid. If you did not get a key from the PGP Global Directory, you may need to
verify its fingerprint with the owner and sign it for it to be used.
Understanding Annotations on Incoming Messages
When incoming email messages are received, PGP Desktop decrypts any
encrypted portions and verifies any signatures. Then a snippet of text, called an
annotation, is inserted into the processed email message to indicate what
encryption and signatures were present. Any email message with at least partial
protection (encrypted, signed, or both) receives an annotation. If an email
message is completely unprotected (for example, the email is not encrypted or
signed by the sender) then the message is not annotated.
You can choose three annotation levels:
87
PGP® Desktop for Mac OS X Securing Email Messages
Maximum: Verbose Annotation. Adds annotations to your incoming
email detailing every action that PGP Desktop has taken during message
processing.
Medium: Failures and Successes. This option is the default. Provides
annotations when there has been a processing failure, such as unknown
key, or unknown signer. The Medium setting provides annotations for all
decrypted and/or signed email, but does not list individual attached files.
Minimum: Failures Only. Only provides annotations when there has been
a processing failure, such as detecting an unknown key or unknown signer.
To specify the level of annotation you want to use, see Messaging Options (see
Messaging Preferences" on page 192).
"
In a PGP Universal Server-managed environment, your administrator may have
specified the location of the annotation. The annotation can be "wrapped
around" the message text (the default setting), or placed below the message
text.
For more information on annotations, see PGP KB article 2039
(http://support.pgp.com/?faq=2039).
Outgoing Messages
Email messages that you send can be encrypted, signed, both, or neither.
Because you probably have different combinations for different recipients or
email domains, you need to create policies for all of your outgoing email
message possibilities. Once correct policies are in place, your email messages
are protected automatically and transparently.
If you are in a PGP Universal Server-managed environment, your PGP Desktop
policies are controlled by the policies specified by your PGP Universal Server
administrator. Your administrator may also have specified how to handle
outgoing email messages if the PGP Universal Server is not available. These
policies are called offline (or local) policies.
Securing Sent Items on IMAP Email Servers
If you are using an IMAP email server, messages in your Sent Items folder are
typically stored on the mail server. IMAP email clients send the sent message
copy over the network to the folder using the IMAP protocol. If the sent
message is not encrypted, the message could be intercepted. PGP Desktop
provides the ability for sent messages to be encrypted and/or signed as they are
sent to the IMAP server.
In a PGP Universal Server-managed environment, your administrator may have
specified that all messages in the Sent Items folder be secured.
88
PGP® Desktop for Mac OS X Securing Email Messages
In a standalone environment, you can specify if you want to secure the sent
messages. To do this, choose Tools > Options (in PGP Desktop for Windows)
or PGP > Preferences (in PGP Desktop for Mac OS X) and click the Messaging
tab or item. Then specify if you want to encrypt, encrypt and sign, or just sign
the messages.
Email messages are encrypted using your public PGP key.
When you access your Sent Items folder, and your key's passphrase is not
cached, you are prompted to enter the passphrase.
If the name of the folder is not a name that PGP Desktop recognizes (for
example, instead of "Sent Items" the folder is named "Outgoing Messages"), a
message is displayed asking you confirm if the name of the folder is where your
sent messages are typically stored. Note that the first message copied to this
folder is not encrypted and/or signed, but that subsequent messages copied to
this folder are.
Using Offline Policy
If you are using PGP Desktop in a PGP Universal Server-managed environment,
the offline mail policy is defined by your PGP Universal Server administrator.
This policy defines what happens to email messages when the PGP Universal
Server is offline or cannot be reached by PGP Desktop.
Block outbound messages. Your outbound messages are not sent. If the
messages can be queued by your mail client, they stay in the queue until
the PGP Universal Server is available. If the messages cannot be queued,
the email messages are blocked.
Send outbound messages in the clear. You are prompted to choose if
you want to allow the email message to be sent unsecured. If you choose
to send, the message is sent in the clear. If you choose not to send, the
message is blocked.
Follow standalone policy. PGP Desktop follows the standalone policy to
process your outbound messages. For more information, see Viewing
Services and Policies (on page
For information on the notifiers you receive when any of the above occurs, see
Outgoing PGP Desktop Notifier Messages for Offline Policy (on page 32).
Your PGP Universal Server administrator can specify how often your mail
policies get downloaded to PGP Desktop. When you are in offline mode, the
last downloaded offline mail policy remains in effect for processing your
outbound email messages. If you have been in offline mode for a period of time
that is longer than the grace period allowed for the offline standalone mail policy
to be in effect, your administrator could have also specified how outgoing email
should be processed. In this case, PGP Desktop can start blocking your
outbound messages or the same offline standalone mail policy can be used for
processing your outbound messages, depending on how policy is defined by
your administrator.
91).
89
PGP® Desktop for Mac OS X Securing Email Messages
When you have been offline for some time, you can manually request a
download of policy from the PGP Universal Server once you are back online. To
do this when you are back online, select the PGP Desktop icon in the tray and
then select Update Policy. The latest policies are downloaded from the PGP
Universal Server and any client logs are uploaded to the server. The option to
manually update a policy is available for managed users only.
If your PGP Universal Server administrator allows you to use standalone
policies, see Creating a New Security Policy (on page
98).
Services and Policies
To understand how to use PGP Desktop to automatically and transparently
protect your outgoing messages, you need to understand two terms: service
and policy.
Service. Information about one email account on your system and the
policies that apply to that account. In most cases, PGP Desktop will
automatically create and configure a service for each email account on your
system. In some circumstances, you may want to create and configure a
service manually.
Policy. A set of one or more instructions that tell PGP Desktop what to do
in specific situations. Policies are associated with services—often more
than one (a policy can be reused by different services). Conversely, a
service can (and usually does) have more than one policy.
When deciding how to handle a specific outgoing email message, PGP Desktop
checks the policies configured for the service one at a time (from the top of the
list going down). When it finds a policy that applies, it stops checking policies
and implements the one that applies.
All new services are created with the following default policies:
Encrypt and Sign Buttons. Specifies that email is both signed and
encrypted when both the Encrypt and Sign buttons are enabled in
Microsoft Outlook 2002, 2003, or 2007. This policy is available only on PGP
Desktop for Windows.
Sign Button. Specifies that email is signed when the Sign button is
enabled in Microsoft Outlook 2002, 2003, or 2007. This policy is available
only on PGP Desktop for Windows.
Encrypt Button. Specifies that email is encrypted when the Encrypt
button is enabled in Microsoft Outlook 2002, 2003, or 2007. This policy is
available only on PGP Desktop for Windows.
Mailing List Admin Requests. Specifies that administrative requests to
mailing lists are sent in the clear; that is, not encrypted or signed.
Mail List Submissions. Specifies that submissions to mailing lists are sent
signed (so they can be authenticated) but not encrypted.
90
Loading...