Is there a way that I can use a RSA keypair with PGP? What I mean is that I have 2048 length keypair and i want to use that to encrypt and decrypt data. But all I have found is that the PGP uses some keyrings and some pgp keys. And I haven't found anywhere why they are different? Why I am asking is that I need to store keys in HSM but i cant do that with PGP keys. Looked around and didn't find anything about that on google also.
Can anyone explain it to me or share some link.
What PGP does is described in the OpenPGP standard. In OpenPGP, "key rings" are some terminology for "public and/or private keys encoded in the format described by OpenPGP".
Among the types of keys for which OpenPGP describes a key ring format are RSA keys. There is no fundamental issue which would prevent an OpenPGP implementation from using a RSA private key which is stored in a HSM. Practically speaking, though, the free OpenPGP implementation, called GnuPG, does not inherently supports that -- but the gnupg-pkcs11 project may help: it allows integration of a cryptographic device which offers a PKCS#11 driver (virtually all HSM do that) into the GnuPG world.
Importing an existing "PGP key" (i.e. a RSA private key currently stored as a file in the OpenPGP format) into a HSM is not necessarily a good idea: a HSM is an expensive device which aims at never allowing a private key to ever exist outside of the tamper-resistant hardware of the HSM. If the key is imported, then it does/did exist somewhere in the outer world, which makes the use of the HSM much less justified.
I don't know about PGP, but GPG can use Smartcards (and sometimes more interesting, PKCS#11 USB-Tokens) to protect the private key:
http://www.gnupg.org/howtos/card-howto/en/smartcard-howto-single.html
If you take the hassle to use a HSM, you should consider using one with a dedicated key pad. Otherwise the protection is of very little use.
You might also want to bring this to the attention of your IT security department: http://secgroup.ext.dsi.unive.it/projects/security-apis/pkcs11-security/tookan/
They have a paper at ACM CCS 2010 explaining the issue.
You can't use anything in PGP other that PGP keys. Some features will also work with certificates and S/MIME keys but not all (e.g. Additional Decryption Key will not work). I'm hoping you have not bought it without knowing this.
You can though set the RSA algorithm in PGP on key generation and in PGP Universal as a policy setting:
Some lessons learned implementing PGP email encryption in an organization
If you are using RSA certificates, then you should use cms (evolved from PCCS#7 and s/mime) this is supported by openssl. http://www.openssl.org/docs/apps/cms.html
To sign and encrypt a file:
openssl cms –encrypt –text –in compressed-file.txt –out encrypted-file.txt public-key.pem
Next we sign the file contents:
openssl cms –sign –text –in encrypted-file.zip –signer certificate.pem –inkey certtificate.key –out signed-file.txt
To verify and decrypt:
openssl cms –verify –in file –signer certificate.pem
If the verification is successful then the file contents can be decrypted.
openssl cms –decrypt –in file –inkey private-key.pem –out decrypted-file
You can't import keys to HSM AFAIK. They are devices designed to perform cryptographic onboard generation/storage/use of cryptographic critical data. Being able to import a private key to the HSM will negate the purpose of the HSM itself.
I think there is a backup procedure although. But I never had an HSM card in my hands (I wish I had :P) You can't export unencrypted information out of the HSM as well.
But you are right, they embeds 2048-length RSA keys (NIST recommendation since 2010).
Most of information available on Wikipedia
