THE INFORMATION IN THIS ARTICLE APPLIES TO:
- EFT 7.4.x and earlier
- Does NOT apply to EFT v8 or later
QUESTION
How can I import PGP Desktop 8, 9, or GnuPG (GPG) created PGP key pairs into EFT Server?
ANSWER
PGP Keys created using PGP Desktop 8+ or the later versions of GnuPG will not work in EFT Server without first re-encoding the key’s private key passphrase. The re-encoding process consists of:
- Exporting the private and public key pair from PGP Desktop or GnuPG
- Removing the passphrase in the key (set the key to use a blank passphrase)
- Recreating the passphrase for the private key in a format that EFT Server supports.
Tools like PGP desktop allow you to remove the passphrase PRIOR to exporting the key. This is preferable and minimizes the steps required for re-encoding the key’s passphrase.
Prerequisites
- PGPConvert.txt. The utility used to re-encode the private key passphrase.
- Cryptoex library. Automatically installed with EFT Server. PGPConvert requires this library to operate.
Optional (Advanced Users):
- Gpg-export.bat. A batch file for manually stripping keys of their passphrase prior to converting them if you did not remove the passphrase PRIOR to exporting the key from PGP Desktop or GPG.
- GnuPG (GPG). A command line tool required by Gpgexport.bat for stripping the passphrase and by PGPConvert.exe if you are using the passphrase stripping feature provided in PGPConvert.exe. For the batch file to work, gpg.exe must be installed, and its environment variables must be registered.
Note:
You should stop the EFT Server service BEFORE running PGP Convert, to avoid locking up EASSER~1.exe, causing PGP Convert to fail.
Before conversion, the first part of the key looks like this:
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: PGP Desktop 9.6.2 (Build 2014) - not licensed for commercial use: www.pgp.com
lQOYBEeogAQBCAClDG93ixBeu6/MIFbx5O4Ol5HZ2WPbsXloCLCzsAs…
After conversion, the key looks like this:
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: CryptoEx 3.0
Comment: CryptoEx Security Software - Desktop Platform v3
xcLrBEeogAQBCAClDG93ixBeu6/MIFbx5O4Ol5HZ2WPbsXloCL…
To convert a key using PGPConvert
- Export your key pair from your PGP application.
- It is recommended that you first blank out the passphrase prior to performing the export.
- Make sure you include the private key when exporting.
- Always export to ASCII (Save as ASCII Key File (*.asc)).
- Launch PGPConvert.exe.
- Select the PGP application used to create your key (PGP Desktop or Gnu GPG). If you select GPG, you should also specify the path to GPG.exe.
- If you removed the password prior to exporting, then check the None option.
- Type the path to the key file you exported in step 1.
- Type the desired passphrase and confirm it.
- Click Convert. The message "Conversion successful!" should appear.
- Now launch EFT Server and select your Site.
- On the OpenPGP Security tab, click Launch OpenPGP Keyring.
- Click Import and the select the .asc file you just converted.
- Back on the OpenPGP Security tab, select the newly imported key in the
Default Site key pair drop down.
You can now encrypt and decrypt files (based on event rule triggers) using the key you exported from PGP Desktop or GPG.
Advanced Users:
The file gpg-export.batdoes the following to manually blank out the GPG key passphrase:
- Export the key to a ASCII armored file: (Include quotation marks.)
gpg --armor -–export "Key Display Name" > "c:\Key.asc"
gpg --armor –-export-secret-keys "Key Display Name" >> "c:\Key.asc"
- Import keys in a temporary keyring: (Include quotation marks.)
gpg --keyring "temp.pkr" --secret-keyring "temp.skr" --no-default-keyring --import "c:\key.asc"
- Set password to blank: (Include quotation marks.)
gpg --keyring "temp.pkr" --secret-keyring "temp.skr" --no-default-keyring –edit-key "Display Name" passwd save
(The command above asks for the old and new password. For new password, press ENTER. Then it will ask to repeat the password; again press ENTER. Finally it will ask if you want to keep the old password; type Y.)
- Export Key: (Include quotation marks.)
gpg --keyring "temp.pkr" --secret-keyring "temp.skr" --no-default-keyring –-armor --export "Display Name" > "c:\key.asc"
gpg --keyring "temp.pkr" --secret-keyring "temp.skr" --no-default-keyring –-armor –export-secret-keys "Display Name" >> "c:\key.asc"
- Delete the key from temporary keyring (Include quotation marks.)
gpg --keyring "temp.pkr" --secret-keyring "temp.skr" --no-default-keyring –-delete-secret-and-public-keys "Display Name"