[...snip...]
Please can you tell me the role of the 'pass phrase'
Thanks
The word 'passphrase' is used in two contexts in PGP:
1) A passphrase is used to encrypt a private key and thus 'lock' the private
key.
2) A passphrase will be used when performing 'conventional encryption'
(encryption that uses symmetric encryption methods only).
To expand on this, in 1):
It is optional to give a private key a passphrase. When a private key has
one, you will be prompted for the passphrase before you can use your private
key. (Remember that you use your private key to decrypt messages or files
that were encrypted using your public key. You also use your private key
when signing a message or file.)
A passphrase is a relatively weak locking mechanism when compared to the
strength of strong (1024 bit) asymmetric encryption keys (e.g. RSA) or the
strong (128 bit) symmetric keys (e.g. AES). Nevertheless, assigning a
passphrase to your private key increases your security by giving you some
limited protection against someone gaining access to your private key.
To expand on 2):
When you use PGP's 'conventional encryption', you are using symmetric
encryption methods only to encrypt a message or file. Neither your PGP
public key nor your PGP private key are involved in this process. It is
called symmetric encryption because the key that is used to encrypt the
message or file is the same one used to decrypt it. This 'shared secret'
symmetric key is derived from a passphrase that you make up. If you encrypt
a message using 'conventional encryption' and then you email the encrypted
message to a recipient, your recipient will need to know the passphrase you
chose in order to decrypt the message. You will have to send him the
passphrase via some alternate secure channel. (Perhaps you can call him on
the phone and tell him the passphrase.)
Note:
A short passphrase is undesireable since it has poor security. Make your
passphrase from multiple words and consider using special characters like
'&', '%', or '#", or a mixture of uppercase, lowercase, and numbers. The
longer your passphrase, the more it begins to have a strength comparable to
1024 bit asymmetric keys or 128 bit symmetric keys. - On the other hand,
don't make a passphrase so long and complicated that you forget it.
Don't record and store your passphrase with your private key. If someone
gets his hands on your passphrase plus your private key, your security has
been completely compromised.
Having no passphrase whatsoever on a private key is considered by most
people to be unacceptable unless you can guarantee that your computer will
never be accessed by an attacker. (Consider how many notorious
lost-notebook-stories your read about in the news! Don't forget too about
spyware attacks.)
If you forget your private key's passphrase, you have effectively lost your
private key.