Once a key is split among multiple shareholders, attempting to sign or decrypt with it will cause PGP to automatically attempt to rejoin the key. There are two ways to rejoin the key, locally and remotely.
Rejoining key shares locally requires the shareholders presence at the rejoining computer. Each shareholder is required to enter the passphrase for their key share.
Rejoining key shares remotely requires the remote shareholders to
authenticate and decrypt their keys before sending them over the network.
PGP's Transport Layer Security (TLS) provides a secure link to transmit key shares which allows multiple individuals in distant locations to securely sign or decrypt with their key share.
Ë
IMPORTANT: Before receiving key shares over the network, you should verify each shareholder’s fingerprint and sign their public key to ensure that their authenticating key is legitimate. To learn how to verify a keypair, see “Verify with a digital fingerprint” on page 69.To rejoin a split key
1. Contact each shareholder of the split key. To rejoin key shares locally, the shareholders of the key must be present.
To collect key shares over the network, ensure that the remote shareholders are prepared to send their key share file. Remote shareholders must have:
– their key share file and password
– a keypair (for authentication to the computer that is collecting the key shares)
– a network connection
– the IP address or Domain Name of the computer that is collecting the key shares
2. At the rejoining computer, use Windows Explorer to select the file(s) that you want to sign or decrypt with the split key.
3. Right-click on the file(s) and select Sign or Decrypt from the PGP menu.
The PGP Enter Passphrase for Selected Key dialog box appears with the split key selected.
4. Click OK to reconstitute the selected key.
The Key Share Collection dialog box appears, as shown in Figure 3-13.
Figure 3-13. Key Share Collection dialog box
5. Do one of the following:
• If you are collecting the key shares locally, click Select Share File and then locate the share files associated with the split key. The share files can be collected from the hard drive, a floppy disk, or a mounted drive. Continue with Step 6.
• If you are collecting key shares over the network, click Start Network.
The Passphrase dialog box opens. In the Signing Key box, select the keypair that you want to use for authentication to the remote system and enter the passphrase. Click OK to prepare the computer to receive the key shares.
The status of the transaction is displayed in the Network Shares box. When the status changes to “Listening,” the PGP application is ready to receive the key shares.
At this time, the shareholders must send their key shares. To learn how to send key shares to the rejoining computer, see “To send your key share over the network” on page 59.
When a share is received, the Remote Authentication dialog box appears, as shown in Figure 3-14.
Figure 3-14. Remote Authentication dialog box
If you have not signed the key that is being used to authenticate the remote system, the key will be considered invalid. Although you can rejoin the split key with an invalid authenticating key, it is not recommended. You should verify each shareholder’s fingerprint and sign their public key to ensure that the authenticating key is legitimate.
Click Confirm to accept the share file.
6. Continue collecting key shares until the value for Total Shares Collected matches the value for Total Shares Needed in the Key Shares Collection dialog box.
7. Click OK.
The file is signed or decrypted with the split key.
To send your key share over the network
1. When you are contacted by the person who is rejoining the split key, make sure that you have these items:
– your key share file and password
– your keypair (for authentication to the computer that is collecting the key shares)
– a network connection
– the IP address or Domain Name of the rejoining computer collecting the key shares
2. Select Send Key Shares on the PGPkeys File menu.
The Select Share File dialog box appears.
3. Locate your key share and then click Open.
The PGP Enter Passphrase dialog box appears.
4. Enter your passphrase and then click OK.
The Send Key Shares dialog box appears, as shown in Figure 3-15.
Figure 3-15. Send Key Shares dialog box
5. Enter the IP address or the Domain Name of the rejoining computer in the Remote Address text box, then click Send Shares.
The status of the transaction is displayed in the Network Status box.
When the status changes to “Connected,” you are asked to authenticate yourself to the rejoining computer.
The Remote Authentication dialog box appears asking you to confirm that the remote computer is the one to whom you want to send your key share.
6. Click Confirm to complete the transaction.
After the remote computer receives your key shares and confirms the transaction, a message box appears stating that the shares were successfully sent.
7. Click OK.
8. Click Done in the Key Shares window when you have completed sending your key share.