McAfee MEJCAE-AM-DA Product Guide - Page 22
Creating subkeys, Creating a key pair on a smart card, To create an encryption subkey
View all McAfee MEJCAE-AM-DA manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 22 highlights
Creating and Exchanging Keys Creating a key pair We recommend that you use the --key-export command option to copy your new public key from your public keyring and place it in a separate public key file suitable for distribution to your friends. The public key file can be sent to your friends for inclusion in their public keyrings. For more information, see Exchanging keys with others on page 24. Creating subkeys Note: RSA Legacy keys do not support subkeys. Every key is actually two keys: a signing key and an encryption subkey. E-Business Server provides the ability to create and revoke new encryption keys without sacrificing your master signing key and the signatures collected on it. One of the most common uses for this feature is to create multiple subkeys that are set to be used during different periods of the key's lifetime. For example, if you create a key that will expire in three years, you might also create 3 subkeys and use each of them for one of the years in the lifetime of the key. This can be a useful security measure and provides an automatic way to periodically switch to a new encryption key without having to recreate and distribute a new public key. Note: To avoid confusion later, do not overlap the validity periods of your subkeys. To create an encryption subkey: 1 Enter the following on the command line: ebs --key-gen --subkey 2 Enter the user ID for the existing master key. For example: [email protected] 3 Enter the passphrase for the existing master key. 4 Choose a size for the encryption subkey, or enter the desired key size in bits. • Enter 1 to select a key size of 1024 bits. • Enter 2 to select a key size of 2048 bits. • Enter 3 to create a key of 3072 bits. • Enter any key size you want between 1024 bits and 4096 bits. 5 If prompted, enter random data to use for the key generation process. E-Business Server creates the subkey. For information on viewing keys, see Viewing your keys on page 28. Creating a key pair on a smart card Note: This section applies to Windows installations only, and assumes that you have a supported smart card reader installed with appropriate driver software. You can create and store your keys on a smart card and access them using a PIN number rather than a passphrase. The smart card has the added protection of being with you at all times-a key on a smart card is less vulnerable than the same key stored on your computer. The private portion of your key pair never leaves your smart card-it's non-exportable. Therefore, decryption and signing operations take place directly on the card. The exception to this would be if you generate a key pair on your desktop, rather than on the card, and then copy the key pair to your card. Before you can generate a key on a smart card, you must specify the smart card type using the SMARTCARD-TYPE parameter in the E-Business Server configuration file or by setting it on the command line using --smartcard-type. For more information, see SMARTCARD-TYPE on page 105. E-Business Server™ 8.6 Product Guide 20