Secured email communication. How to establish a PKI (Public Key Infrastructure) explained by taking the communication within a school as an example

The charm of openPGP consists in the convenience to implement it. Smaller institutions like schools can build a security infrastructure without too much effort. As mentioned it is irresponsible to avoid measures that could ensure data privacy.

The target

It must be ensured that formal or informal information between teachers, between teachers and the administration or between teachers and students will be transmitted in a confidential and trustworthy way.


Each participant must own an email account. It is not important if the account is private or official.

The participants must use an email client that can proceed openPGP.

Establishing the PKI

Establishing an own CA.

The school will nominate a person as PKI commissioner.

The PKI commissioner creates one or more key pairs that will be used to certificate the participants' identities. When cryptologists talk about "trust" this is always a technical term. It is negligible if somebody trusts the persons themselves, just the identity has to be stated correctly.

Creation of key pairs:

I will introduce the handling by ReSecCo but it works from the command line, too.

(1) Change to "openPGP – Own openPGP keys".

The key pair you have to create will be used to certify the (public) keys of your colleagues or students. To communicate with them you should use other keys and other email addresses.

Name: Certificate T XY-School
Supplement: Teacher's certificate
Expires: never or long termed

If you want to ensure email communication to your students or between your students you can create a special CA to certify students' addresses. It is not necessary to differ between students and teachers but as students will leave the school after a few years it can be useful to reserve separated certificates:

Name: Certificate S XY-School
Supplement: Student's certificate
Expires: within 4 years

It is not important that teachers or students may leave your school. Certification means that the identity assigned to a key is correct. As most teachers know their colleagues and their students and most students know their teachers personally the only reason of certification is security of communication.

Public keys can be certified additionally by an authority like the headmaster of the school or the superior authorities.

To allow validation of the certificate the PKI commissioner should publish the fingerprint of the key used to certify. Within ReSecCo you will find the finger print if you view the details of the key.

You can publish the certifying keys (public keys) on a key server, on the web site of the school or by sending it to all participants. There is no reason to keep it secret. The email address you have assigned to the key is not needed and there is no reason to realize it.

But you need an address to communicate. This address may be a special address or the regular address of the PKI commissioner. To communicate secured you should create an openPGP key. This address must be published to the participants

Your CA is ready now. You should backup your keys and annotate your passwords.

It is a good idea to use a separated computer to manage a PKI. If you are skilled you may use it to get and answer requests for certifying keys. But you should block any other network (internet) ports than 465 and 995 to avoid insecurity of your system.

Participants need a program that works with openPGP

My recommendation is ReSecCo, as most other programs are not able to handle openPGP or their handling of it is not sufficient. You can link to where the participants will get information and instructions. An email client should be able to proceed s/mime (PKCS #7; x509) as well as openPGP.

How to create an openPGP keypair and which are the additional needs?

To create a key pair is easy and has been described within another section of this text. When the key has been created the public key must be certified. The participants will send it to the CA the school has established. ReSecCo will add your public key to any message you send and therefore there no additional effort is necessary. If participants use other programs they might have to attach the public key manually. The CA will prove the identity and resend the key to the participant after it has certified it.

If participants use ReSecCo the keys will be imported automatically, if they use other programs it could be that they have to import the certified keys manually.

What more?

The participants have to accept the public key of the school's CA of the school as trustworthy if they do not want to prove any keys of colleagues separately. To accept the school's CA the participants should certify its key internally using "2" as depth of trust.


If the requirements have been fulfilled you should use secured emailing. To do so you must take one more step. Publish your certified key. You can do this if you send an email to your partner where your key is attached.