Page MenuHome GnuPG
Create Task
Maniphest T7581

Draft: Kleopatra: Create Group key
Open, NormalPublic
Actions

Description

Especially for functional mail addresses people often share secret keys. As there is no easy way to do this the sane way (i.e. share only subkeys) a lot of people share the whole key.
To make the seemingly inevitable sharing of secrets keys more secure, we want to introduce a simple Create Team Key action.

Implementation

Add a file menu item "New OpenPGP Role Key Pair..." after the "New OpenGPG Key Pair ..." entry.
This just calls the default key creation dialog with an option to generate a "Role Key".
A certificate with separate "certify" and "sign" and encryption subkeys is generated.
After generation the user is offered to "Share Secret Role Key ...".

"Save Secret Role Key..." is also a menu entry after "File"->"Export...".
This menu entry is only available if the primary key has only the capability "certify".
The function could be a specialized version of the "Backup Secret Keys..." function.
Choosing this function will open a dialog:

The following subkeys will be exported to a file.
This file can be shared with team members who need to be able to open messages that are encrypted for that group.

   -  all public subkeys
   -  secret encryption subkey
  [ ] secret signing subkey
  
Please choose if the team members shall be able to sign messages with the team key.
They can sign messages with their personal private key instead. 

                                   [OK]  [Cancel]

Details

External Link
https://wiki.gnupg.com/KB/teams_funktionsmailadressen_gruppen

Event Timeline

ebo triaged this task as Normal priority.Mar 21 2025, 11:29 AM
ebo created this task.
ebo created this object with edit policy "Contributor (Project)".
alexk updated the task description. (Show Details)Tue, May 6, 2:54 PM
alexk added a subscriber: alexk.
alexk added a comment.Tue, May 6, 3:20 PM

Discussion and background for naming things and german translation

We want to avoid "group" to not confuse with Kleo groups.

German translations:

  • "New OpenPGP Role Key Pair..." → "Neues OpenPGP-Funktions-Schlüsselpaar ..."

Options for naming the "Save Secret Role Key..." menu entry:

  • "Share Secret Role Key..." → "Teile geheimen Funktions-Schlüssel ..."
    • When using "share", it may not be clear to the user that a file is being created.
    • We also wanted to avoid "export", because it is used for public keys only.
    • We also want this to be distinguished from "backup", which is used for saving the whole key.
  • "Save Secret Role Key for sharing..." → "Speichern des geheimen Funktionsschlüssels zur gemeinsamen Nutzung ..."
    • This might be to long (especially the german version) for a menu entry.
  • "Save Secret Role Key for sharing..." → "Speichern des zu teilenden geheimen Funktionsschlüssels ..."
    • Probably still to long.
  • "Save Secret Role Key..." → "Speichern des geheimen Funktionsschlüssels ..."
    • with a tool-tip: "Save secret role key to share within the team" → "Speichern des geheimen Funktionsschlüssels zum Teilen innerhalb des Teams"
    • Seems to be the best option we have found so far.
alexk updated the task description. (Show Details)Tue, May 6, 3:32 PM
hej added a subscriber: hej.Tue, May 6, 4:10 PM

Suggestions (language):

engl. Menu Entry: Save Secret Role Key
Tooltip: Save this secret key to share with other team members.

dt. Menüeintrag: Gheimen Funktionsschlüssel speichern
Tooltip: Geheimen Funktionsschlüssel zur Weitergabe im Team speichern.

Dialog: Save Secret Role Key
Text: The following subkeys will be saved to a file.
This file can be shared with team members who need to read messages encyrpted for this role.

  • All public subkeys
  • Secret encryption subkey
  • Secret signing subkey

Please choose whether team members should be allowed to sign messages using the role key.
Alternatively, they can use their personal key to sign.
[OK] [Cancel]

German version: Geheimen Funktionsschlüssel speichern
Text: Die folgenden Unterschlüssel werden in einer Datei gespeichert.
Diese Datei kann an Teammitglieder weitergegeben werden, die verschlüsselte Nachrichten für dieses Funktionspostfach lesen müssen.
(shorter version: Für Teammitglieder zum Lesen verschlüsselter Nachrichten an Funktionspostfach.)

  • Alle öffentlichen Unterschlüssel
  • Geheimer Verschlüsselungs-Unterschlüssel
  • Geheimer Unterschlüssel zum Signieren

Wählen Sie, ob Teammitglieder Nachrichten mit dem Funktionsschlüssel signieren dürfen.
Alternativ können sie ihre persönlichen Schlüssel dafür nutzen.
[OK] [Cancel]