Page MenuHome GnuPG
Create Task
Maniphest T7581

Kleopatra: Create team key
Open, HighPublic
Actions

Description

Edit 2025-06-17 + 2025-09-18: changed the terms according to meeting results

Especially for functional mail addresses people often share secret keys. As there is no easy way to do this the sane way (i.e. share only subkeys) a lot of people share the whole key.
To make the seemingly inevitable sharing of secrets keys more secure, we want to introduce a simple Create Team Key action.

Implementation

Add a file menu item "New OpenPGP Team Key..." after the "New OpenGPG Key..." entry.
This calls the default key creation dialog with an option to generate a "Team Key".
A certificate with separate "certify" and "sign" and encryption subkeys and the "group" flag is generated.
After generation the user is offered to "Share Secret Team Key...".

"Save Secret Team Key..." is also a menu entry after "File"->"Export...".
Tooltip: "Save this secret key to share with other team members."
The menu entry is only available if the primary key has only the capability "certify".
The function is a specialized version of the "Backup Secret Keys..." function.
Choosing this function will open a dialog:

After importing the team key, team members will be able to decrypt data with it.

Please choose whether members should also be allowed to sign data with the team key.
Alternatively, they can use their personal key to sign.

  [ ]  Allow team members to sign with the team key

Note: Members will not be able to change the name, email address, or expiration date of the team key.

 [OK]  [Cancel]

Details

External Link
https://wiki.gnupg.com/KB/teams_funktionsmailadressen_gruppen

Revisions and Commits

rLIBKLEO Libkleo
rLIBKLEO31685267c0cd Add function for getting the algorithm string from an…
rLIBKLEO2bfe8b7cae1f Add function for getting the algorithm string from an…
rLIBKLEO43d2820f90ea OpenPGPCertificateCreationDialog: Add checkbox for creating a team key
rLIBKLEO857c4be3160a OpenPGPCertificateCreationDialog: Add checkbox for creating a team key
rLIBKLEOc965a21144b2 OpenPGPCertificateCreationDialog: Add checkbox for creating a team key
rLIBKLEOceac8a844b1f OpenPGPCertificateCreationDialog: Add checkbox for creating a team key
rLIBKLEOca29da3dde63 OpenPGPCertificateCreationDialog: Add checkbox for creating a team key
rLIBKLEOb44cabc68e08 Allow setting name and email label in OpenPGPCertificateCreationDialog
rLIBKLEOdcc550f08e11 Allow setting the info text in an OpenPGPCertificateCreationDialog
rLIBKLEO3abbecbaa75e Extend KeyUsage to allow creating group keys
rLIBKLEOaf8da5ae1573 Adapt OpenPGPCertificateCreationDialog to creating team certificates
rLIBKLEO223beeeb46ad Extend KeyUsage to allow creating group keys
rGPGMEPP Gpgme plus plus
rGPGMEPPd3559c8abcfe Add CreationFlags and simplify API of createKey and createSubkey
rKLEOPATRA Kleopatra
rKLEOPATRA118f81d093b0 Add action for creating team certificates
rKLEOPATRA213dc2e12836 Add action for creating team certificates
rKLEOPATRAed19edc8925f Add action for creating team certificates
rKLEOPATRAc0987b6bcf1d Add action for creating team certificates
rKLEOPATRA9d595ea8c0c3 Add action for creating team certificates
rKLEOPATRA59e3610c2a9f Add action for creating team certificates
rKLEOPATRAc0df44e1d236 Add action for creating team certificates
rKLEOPATRA34d32ecfa1a4 Add action for creating team certificates
rKLEOPATRAa156d51cbae0 Add action for creating team certificates
rKLEOPATRA213be42d2152 Add action for creating team certificates
rKLEOPATRAf8a35b195376 Add action for creating team certificates
rKLEOPATRA613114b51504 Add action for creating team certificates
rKLEOPATRAd38ebcacb927 Add action for creating team certificates
rKLEOPATRA7b0fb8308482 Add action for creating team certificates

Event Timeline

ebo triaged this task as Normal priority.Mar 21 2025, 11:29 AM
ebo created this task.
ebo created this object with edit policy "Contributor (Project)".
alexk updated the task description. (Show Details)May 6 2025, 2:54 PM
alexk added a subscriber: alexk.
alexk added a comment.May 6 2025, 3:20 PM

Discussion and background for naming things and german translation

We want to avoid "group" to not confuse with Kleo groups.

German translations:

  • "New OpenPGP Role Key Pair..." → "Neues OpenPGP-Funktions-Schlüsselpaar ..."

Options for naming the "Save Secret Role Key..." menu entry:

  • "Share Secret Role Key..." → "Teile geheimen Funktions-Schlüssel ..."
    • When using "share", it may not be clear to the user that a file is being created.
    • We also wanted to avoid "export", because it is used for public keys only.
    • We also want this to be distinguished from "backup", which is used for saving the whole key.
  • "Save Secret Role Key for sharing..." → "Speichern des geheimen Funktionsschlüssels zur gemeinsamen Nutzung ..."
    • This might be to long (especially the german version) for a menu entry.
  • "Save Secret Role Key for sharing..." → "Speichern des zu teilenden geheimen Funktionsschlüssels ..."
    • Probably still to long.
  • "Save Secret Role Key..." → "Speichern des geheimen Funktionsschlüssels ..."
    • with a tool-tip: "Save secret role key to share within the team" → "Speichern des geheimen Funktionsschlüssels zum Teilen innerhalb des Teams"
    • Seems to be the best option we have found so far.
alexk updated the task description. (Show Details)May 6 2025, 3:32 PM
hej added a subscriber: hej.EditedMay 6 2025, 4:10 PM

Suggestions (language):

engl. Menu Entry: Save Secret Team Key
Tooltip: Save this secret key to share with other team members.

dt. Menüeintrag: Geheimen Team-Schlüssel speichern
Tooltip: Geheimen Schlüssel speichern und mit Team teilen.

Dialog: Save Secret Team Key
Text: The following subkeys will be saved to a file.
This file can be shared with team members who need to read messages encrypted for this functional mailbox.

  • All public subkeys
  • Secret encryption subkey
  • Secret signing subkey

Please choose whether team members should be allowed to sign messages using the team key.
Alternatively, they can use their personal key to sign.
[OK] [Cancel]

German version: Geheimen Team-Schlüssel speichern
Text: Die folgenden Unterschlüssel werden in einer Datei gespeichert.
Diese Datei kann an Teammitglieder weitergegeben werden, die verschlüsselte Nachrichten an dieses Funktionspostfach lesen müssen.
(shorter version: Für Teammitglieder zum Lesen verschlüsselter Nachrichten an Funktionspostfach.)

  • Alle öffentlichen Unterschlüssel
  • Geheimer Verschlüsselungs-Unterschlüssel
  • Geheimer Unterschlüssel zum Signieren

Wählen Sie, ob Teammitglieder Nachrichten mit dem Funktionsschlüssel signieren dürfen.
Alternativ können sie ihre persönlichen Schlüssel dafür nutzen.
[OK] [Cancel]

ebo added a comment.May 14 2025, 11:21 AM

Tooltip: Save this secret key to share with other team members.
dt. Menüeintrag: Geheimen Team-Schlüssel speichern
Tooltip: Geheimen Schlüssel speichern und mit Team teilen.

The EN version is good but the DE one does neither match nor give correct info IMHO. I'd rather just repeat the menu entry text before doing that.
How about these alternatives:
"Den geheimen Schlüssel speichern, um ihn mit dem Team zu teilen."
"Speichern, um ihn mit dem Team zu teilen."
"Team-Schlüssel zum internen Teilen abspeichern."
"Den geheimen Team-Schlüssel zum internen Teilen abspeichern." (my prefered version)

For tool tips full sentences are usually preferred, I believe.

hej added a comment.May 15 2025, 9:31 AM

"Geheimen Team-Schlüssel zum internen Teilen abspeichern." is grammatically correct, but it sound very formal and clunky for a UI tooltip. It lacks clarity, therefore I suggest:

"Diesen geheimen Schlüssel speichern, um ihn mit Teammitgliedern zu teilen." -> das ist dann sehr dicht an der englischen Fassung dran :)

ikloecker added a commit: rGPGMEPPd3559c8abcfe: Add CreationFlags and simplify API of createKey and createSubkey.May 15 2025, 9:57 AM
ebo renamed this task from Draft: Kleopatra: Create Group key to Kleopatra: Create team key.Jun 17 2025, 5:30 PM
ebo updated the task description. (Show Details)
ebo raised the priority of this task from Normal to High.Jun 23 2025, 3:48 PM
TobiasFella mentioned this in Unknown Object (Maniphest Task).Aug 25 2025, 9:47 AM
TobiasFella added a commit: rLIBKLEO223beeeb46ad: Extend KeyUsage to allow creating group keys.Aug 28 2025, 1:30 PM
TobiasFella added a commit: rKLEOPATRA7b0fb8308482: Add action for creating team certificates.Aug 28 2025, 1:47 PM
TobiasFella added a commit: rLIBKLEOaf8da5ae1573: Adapt OpenPGPCertificateCreationDialog to creating team certificates.Aug 28 2025, 1:50 PM
ikloecker added a commit: rLIBKLEO3abbecbaa75e: Extend KeyUsage to allow creating group keys.Aug 28 2025, 3:45 PM
TobiasFella added a commit: rLIBKLEOdcc550f08e11: Allow setting the info text in an OpenPGPCertificateCreationDialog.Aug 29 2025, 11:06 AM
TobiasFella added a commit: rKLEOPATRAd38ebcacb927: Add action for creating team certificates.
TobiasFella added a commit: rKLEOPATRA613114b51504: Add action for creating team certificates.Aug 29 2025, 11:14 AM
TobiasFella added a commit: rKLEOPATRAf8a35b195376: Add action for creating team certificates.Aug 29 2025, 11:17 AM
TobiasFella added a commit: rKLEOPATRA213be42d2152: Add action for creating team certificates.Aug 29 2025, 11:20 AM
TobiasFella mentioned this in Unknown Object (Maniphest Task).Sep 1 2025, 9:40 AM
ebo moved this task from Backlog to WIP on the gpd5x board.Sep 10 2025, 12:23 PM
TobiasFella mentioned this in Unknown Object (Maniphest Task).Sep 15 2025, 9:56 AM
TobiasFella added a commit: rLIBKLEOb44cabc68e08: Allow setting name and email label in OpenPGPCertificateCreationDialog.Sep 17 2025, 12:40 PM
TobiasFella added a commit: rKLEOPATRAa156d51cbae0: Add action for creating team certificates.
ebo added a comment.Sep 17 2025, 3:51 PM

We got new suggestions for this:

  • do not use "Create Certificate" or "Create Team Certificate" etc, its a key pair.
  • use the normal "Create OpenPGP Key Pair dialog for the team key creation, add a checkbox for "Create Signing Subkey" or "Create Separate Signing Subkey" or possibly "Create Signing Subkey (for Team Keys)"
  • "Save team key" should work on current default keys, too, in that case only the encryption subkey should be exported
  • don't export without offering the save file dialog
  • if you do, the location of the key needs a copy function
ebo added a comment.Sep 18 2025, 3:54 PM

We decided to

  • use "Create OpenPGP Team Key" (and therefore have to change the Action "Create OpenPGP Key Pair" to "Create OpenPGP Key", too)
  • Keep the team key creation action separate as originally proposed
  • "Save team key" action will show if a key has a signing and encryption subkey
  • Change the "Save team key" dialog text to make it less technical:
After importing the team key, team members will be able to decrypt with it.
Please choose whether team members should also be able to sign data with the team key.
Alternatively, they can use their personal key to sign. 
  [ ] Allow team members to sign with the team key
Note: Team members will not be able to change the name, email address or expiry date of the team key.

The save file dialog was already there.

ebo updated the task description. (Show Details)Sep 18 2025, 4:26 PM
hej added a comment.Sep 19 2025, 11:48 AM

Dialogtext (winzige Politur):

After importing the team key, members will be able to decrypt data with it.
Please choose whether members should also be allowed to sign data with the team key.
Alternatively, they can use their personal key to sign.

  • Allow members to sign with the team key

Note: Members will not be able to change the name, email address, or expiration date of the team key.

ebo updated the task description. (Show Details)EditedSep 19 2025, 12:09 PM

ok, changed the text in the description of the ticket accordingly, but put two more "team" back in.

TobiasFella mentioned this in Unknown Object (Maniphest Task).Sep 22 2025, 9:48 AM
TobiasFella added a commit: rKLEOPATRA34d32ecfa1a4: Add action for creating team certificates.Sep 26 2025, 1:01 PM
TobiasFella mentioned this in Unknown Object (Maniphest Task).Sep 29 2025, 9:25 AM
TobiasFella added a commit: rKLEOPATRAc0df44e1d236: Add action for creating team certificates.Oct 2 2025, 12:49 PM
TobiasFella added a commit: rLIBKLEOca29da3dde63: OpenPGPCertificateCreationDialog: Add checkbox for creating a team key.Oct 2 2025, 1:03 PM
TobiasFella added a commit: rLIBKLEOceac8a844b1f: OpenPGPCertificateCreationDialog: Add checkbox for creating a team key.Oct 2 2025, 1:09 PM
TobiasFella mentioned this in Unknown Object (Maniphest Task).Mon, Oct 6, 9:53 AM
TobiasFella added a commit: rLIBKLEOc965a21144b2: OpenPGPCertificateCreationDialog: Add checkbox for creating a team key.Mon, Oct 6, 3:24 PM
TobiasFella added a commit: rKLEOPATRA59e3610c2a9f: Add action for creating team certificates.Tue, Oct 7, 2:25 PM
TobiasFella added a commit: rLIBKLEO857c4be3160a: OpenPGPCertificateCreationDialog: Add checkbox for creating a team key.
TobiasFella added a commit: rLIBKLEO43d2820f90ea: OpenPGPCertificateCreationDialog: Add checkbox for creating a team key.Thu, Oct 9, 11:14 AM
TobiasFella added a commit: rLIBKLEO2bfe8b7cae1f: Add function for getting the algorithm string from an….Fri, Oct 10, 4:29 PM
TobiasFella added a commit: rKLEOPATRA9d595ea8c0c3: Add action for creating team certificates.Fri, Oct 10, 4:53 PM
TobiasFella mentioned this in Unknown Object (Maniphest Task).Mon, Oct 13, 9:55 AM
TobiasFella added a commit: rLIBKLEO31685267c0cd: Add function for getting the algorithm string from an….Thu, Oct 16, 9:16 AM
TobiasFella added a commit: rKLEOPATRAc0987b6bcf1d: Add action for creating team certificates.Tue, Oct 28, 12:12 PM
TobiasFella added a commit: rKLEOPATRAed19edc8925f: Add action for creating team certificates.Thu, Oct 30, 11:02 AM
TobiasFella added a commit: rKLEOPATRA213dc2e12836: Add action for creating team certificates.Thu, Oct 30, 11:43 AM
TobiasFella added a commit: rKLEOPATRA118f81d093b0: Add action for creating team certificates.Fri, Oct 31, 3:43 PM