EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Best practice for PGP private key management

Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.
Posted: 11/15/2012 18:28:52
by Marcus W (Basic support level)
Joined: 11/15/2012
Posts: 2


I am currently using the SecureBlackbox Data Security .NET edition in a C# Windows Service that will decrypt incoming PGP-encrypted files from a 3rd party.

At present the service is working as expected, but is loading the PGP private key from the filesystem of the machine that the service is running on. My current code is as follows:

var pgpReader = new TElPGPReader();

var key = new TElPGPSecretKey();
var pubkey = new TElPGPPublicKey();

var keyRing = new TElPGPKeyring();

pgpReader.DecryptingKeys = keyRing;
pgpReader.KeyPassphrase = "passphrase";


The following page has this to say:

With SecureBlackbox you can create, manage and convert OpenPGP keys without the need for external key management software.

OpenPGPBlackbox package includes functions that let you generate and manage OpenPGP keys and keyrings. Using these functions you can build your own PGP key management applications.

What is the best practice for the management of PGP keyfiles and keyrings? I'm not happy to have my PGP private key sitting unsecured on the filesystem of a windows server, ready for any intruder to find and copy.

A check of the Knowledge Base finds an article that focuses on loading private keys from the file system:

Is generating a X.509 certificate from the PGP key pair a preferred option, with SecureBlackbox calling the TElPGPSecretKey.AssignFromX509() method to load it?
Posted: 11/15/2012 23:52:09
by Ken Ivanov (EldoS Corp.)

Hello Marcus,

Thank you for your interest in our products.

Indeed, a correct approach to storing private keys securely is vital for an application to be secure. OpenPGP standard addresses this task with encryption of private key material. The encryption keys are generated from the key password you enter upon keypair generation. This way, even though an intruder may steal your secret keyring files, they will be unable to recover the private keys as they need to know passwords to decrypt them.

Still, password-based encryption is subject to some serious cons, the most important of which are that key passwords need to be robust to provide good protection (be long and not contain dictionary words), and that the passwords itself should be kept secure. The latter is especially important if you are building an automated environment where passwords would be generated and managed by software. In this case means provided by the operating system (SSO, protected storage) might help much.

There is also an option of keeping private keys on hardware security modules (HSM). However, most of HSMs existing on the market do not support DSS and Elgamal algorithms, so you will be limited to RSA keypairs.

Finally, there is virtually no difference between OpenPGP keys and X.509 certificates from the point of view of key material security. Private keys associated with certificates, just as OpenPGP private keys, are encrypted with passwords and are subject for the same security approach.
Posted: 11/18/2012 22:04:37
by Marcus W (Basic support level)
Joined: 11/15/2012
Posts: 2

Hello Innokentiy,

Thankyou for your clarification - the use of the password to secure the private key file was something I had overlooked (in my example, the passphrase is hardcoded, not input at runtime, so I missed it).

The clarification in regards to OpenPGP keys and X.509 certificates was also of assistance - from here I am more confident as to the service I am building.



Topic viewed 2911 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!