SecretAgent® - PGP® Interoperability Guidelines

Facilitating Interoperability Between SecretAgent 5.x and PGP/OpenPGP

This note applies to SecretAgent 5.7 through 5.9 for Windows, and to PGP 6.58, 7.x, and 8.x, as well as to other OpenPGP-compatible applications such as GnuPG. (Please note that ISC has droppen OpenPGP support from more recent versions of SecretAgent for Windows and that OpenPGP is not supported by any version of SecretAgent for non-Windows platforms.)


Before they can communicate securely using their respective encryption programs, a SecretAgent for Windows user and a PGP user must exchange X.509 certificates. This page outlines how certificate exchange and software configuration might be handled by each party.

SecretAgent 5.7-5.9 for Windows User

  1. obtain an X.509 RSA certificate, if you don't already have one (or simply create a self-signed RSA certificate using Certificate Explorer)
  2. open Certificate Explorer and export your certificate as an OpenPGP V4 key
  3. provide the V4 key file to the PGP user so they can add it to their keyring
  4. add the PGP user's certificate to any convenient store in Certificate Explorer or use Internet Explorer to import it into CAPI
  5. download and install the SecretAgent 'Add-on for OpenPGP Support' available on the ISC support page for your particular version of SecretAgent (this allows you to create and decrypt OpenPGP-compatible archives)

PGP User

  1. obtain an X.509 RSA certificate, if you don't already have one (see "PKI Enrollment for PGP Users" below)
  2. make sure the key pair for your new certificate is in your keyring (it may be imported as a PKCS#12 file)
  3. make your certificate available to the SecretAgent user (so that they can encrypt files for you)
  4. import the SecretAgent user's V4 key into your keyring (so that you can encrypt files for that individual)
  5. consider disabling IDEA and Twofish (only the Federal standard AES and TDES ciphers can be used with SecretAgent)

PKI Enrollment for PGP Users

Depending on the version of PGP you have, you might be able to generate an X.509 RSA (PKCS#10) certificate request and submit it to a CA using PGP, but we've found that most PGP users find it easier to use a browser:

  1. visit the website of your favorite CA and complete the enrollment process to obtain a certificate for a new RSA key pair generated by your browser (the ISC Silver CA may be used for this purpose; our fee for certificates is currently $10/year)
  2. export your key pair from the browser as a (password-protected) PKCS#12 file (instructions for doing this with Internet Explorer are here; Netscape- and Mozilla-based browsers may refer to the export process as 'backing up' your credentials)
  3. inport the PKCS#12 file into your PGP keyring


PGP is a registered trademark of PGP Corporation, now a subsidiary of Symantec.