Page MenuHome GnuPG
Create Task
Maniphest T7581

Draft: Kleopatra: Create Group key
Open, NormalPublic
Actions

Description

Especially for functional mail addresses people often share secret keys. As there is no easy way to do this the sane way (i.e. share only subkeys) a lot of people share the whole key.
To make the seemingly inevitable sharing of secrets keys more secure, we want to introduce a simple Create Team Key action.

Implementation

Add a file menu item "New OpenPGP Role Key Pair..." after the "New OpenGPG Key Pair ..." entry.
This just calls the default key creation dialog with an option to generate a "Role Key".
A certificate with separate "certify" and "sign" and encryption subkeys is generated.
After generation the user is offered to "Share Secret Role Key ...".

"Save Secret Role Key..." is also a menu entry after "File"->"Export...".
This menu entry is only available if the primary key has only the capability "certify".
The function could be a specialized version of the "Backup Secret Keys..." function.
Choosing this function will open a dialog:

The following subkeys will be exported to a file.
This file can be shared with team members who need to be able to open messages that are encrypted for that group.

   -  all public subkeys
   -  secret encryption subkey
  [ ] secret signing subkey
  
Please choose if the team members shall be able to sign messages with the team key.
They can sign messages with their personal private key instead. 

                                   [OK]  [Cancel]

Details

External Link
https://wiki.gnupg.com/KB/teams_funktionsmailadressen_gruppen

Revisions and Commits

rGPGMEPP Gpgme plus plus
rGPGMEPPd3559c8abcfe Add CreationFlags and simplify API of createKey and createSubkey

Event Timeline

ebo triaged this task as Normal priority.Mar 21 2025, 11:29 AM
ebo created this task.
ebo created this object with edit policy "Contributor (Project)".
alexk updated the task description. (Show Details)Tue, May 6, 2:54 PM
alexk added a subscriber: alexk.
alexk added a comment.Tue, May 6, 3:20 PM

Discussion and background for naming things and german translation

We want to avoid "group" to not confuse with Kleo groups.

German translations:

  • "New OpenPGP Role Key Pair..." → "Neues OpenPGP-Funktions-Schlüsselpaar ..."

Options for naming the "Save Secret Role Key..." menu entry:

  • "Share Secret Role Key..." → "Teile geheimen Funktions-Schlüssel ..."
    • When using "share", it may not be clear to the user that a file is being created.
    • We also wanted to avoid "export", because it is used for public keys only.
    • We also want this to be distinguished from "backup", which is used for saving the whole key.
  • "Save Secret Role Key for sharing..." → "Speichern des geheimen Funktionsschlüssels zur gemeinsamen Nutzung ..."
    • This might be to long (especially the german version) for a menu entry.
  • "Save Secret Role Key for sharing..." → "Speichern des zu teilenden geheimen Funktionsschlüssels ..."
    • Probably still to long.
  • "Save Secret Role Key..." → "Speichern des geheimen Funktionsschlüssels ..."
    • with a tool-tip: "Save secret role key to share within the team" → "Speichern des geheimen Funktionsschlüssels zum Teilen innerhalb des Teams"
    • Seems to be the best option we have found so far.
alexk updated the task description. (Show Details)Tue, May 6, 3:32 PM
hej added a subscriber: hej.EditedTue, May 6, 4:10 PM

Suggestions (language):

engl. Menu Entry: Save Secret Team Key
Tooltip: Save this secret key to share with other team members.

dt. Menüeintrag: Geheimen Team-Schlüssel speichern
Tooltip: Geheimen Schlüssel speichern und mit Team teilen.

Dialog: Save Secret Team Key
Text: The following subkeys will be saved to a file.
This file can be shared with team members who need to read messages encrypted for this functional mailbox.

  • All public subkeys
  • Secret encryption subkey
  • Secret signing subkey

Please choose whether team members should be allowed to sign messages using the team key.
Alternatively, they can use their personal key to sign.
[OK] [Cancel]

German version: Geheimen Team-Schlüssel speichern
Text: Die folgenden Unterschlüssel werden in einer Datei gespeichert.
Diese Datei kann an Teammitglieder weitergegeben werden, die verschlüsselte Nachrichten an dieses Funktionspostfach lesen müssen.
(shorter version: Für Teammitglieder zum Lesen verschlüsselter Nachrichten an Funktionspostfach.)

  • Alle öffentlichen Unterschlüssel
  • Geheimer Verschlüsselungs-Unterschlüssel
  • Geheimer Unterschlüssel zum Signieren

Wählen Sie, ob Teammitglieder Nachrichten mit dem Funktionsschlüssel signieren dürfen.
Alternativ können sie ihre persönlichen Schlüssel dafür nutzen.
[OK] [Cancel]

ebo added a comment.Wed, May 14, 11:21 AM

Tooltip: Save this secret key to share with other team members.
dt. Menüeintrag: Geheimen Team-Schlüssel speichern
Tooltip: Geheimen Schlüssel speichern und mit Team teilen.

The EN version is good but the DE one does neither match nor give correct info IMHO. I'd rather just repeat the menu entry text before doing that.
How about these alternatives:
"Den geheimen Schlüssel speichern, um ihn mit dem Team zu teilen."
"Speichern, um ihn mit dem Team zu teilen."
"Team-Schlüssel zum internen Teilen abspeichern."
"Den geheimen Team-Schlüssel zum internen Teilen abspeichern." (my prefered version)

For tool tips full sentences are usually preferred, I believe.

hej added a comment.Thu, May 15, 9:31 AM

"Geheimen Team-Schlüssel zum internen Teilen abspeichern." is grammatically correct, but it sound very formal and clunky for a UI tooltip. It lacks clarity, therefore I suggest:

"Diesen geheimen Schlüssel speichern, um ihn mit Teammitgliedern zu teilen." -> das ist dann sehr dicht an der englischen Fassung dran :)

ikloecker added a commit: rGPGMEPPd3559c8abcfe: Add CreationFlags and simplify API of createKey and createSubkey.Thu, May 15, 9:57 AM