Sending Sensitive Information

We recommend that you encrypt sensitive information in email to protect it from being viewed by unintended recipients. We prefer OpenPGP standard cryptography, which usually means Pretty Good Privacy (PGP) or the GNU Privacy Guard (GnuPG or GPG). However, can use S/MIME or other methods on a case-by-case basis.

Those unable to use PGP can contact us at <cert@cert.org> or <+1 412-268-7090> to arrange alternative methods.

We also encourage you to check the PGP signature on email and documents to ensure that they were produced by the CERT key and have not been altered.

The CERT/CC PGP Key

As a good security practice, be sure to validate PGP keys you receive and do not trust unvalidated keys. In the past, forged CERT PGP keys have been created and uploaded to public keyservers. It is important to validate your copy of the CERT PGP public key to ensure it is legitimate.

  1. Get our PGP public key from the CERT website.

    Our current PGP key has the following properties:

    CERT PGP Key Information Key ID: 236C3502
    Key Type: RSA
    Expires: 2016-09-30
    Key Size: 2048
    Key Fingerprint: 8249 19BC 50DC 3E49 D72C  A2B4 993F 25A8 236C 3502
    UserID: CERT Coordination Center <cert@cert.org>
    

    The CERT PGP keys have an operational life span of approximately one year. When we generate a new key, it will be available from this web page, and we will announce the change.

  2. Verify our fingerprint.

    Call us at +1 412-268-7090 to verify the fingerprint.

    If you trust that this web page is authentic, you can verify using the fingerprint above.

Obtaining GnuPG or PGP

GnuPG

GNU Privacy Guard is an OpenPGP-compliant application that is freely available.

The GnuPG site provides details for the most appropriate software based on your operating system. Please note that the "version compiled for MS-Windows is a command-line version and comes with a graphical installer tool." For a graphical interface, you may also consider the options below.

Microsoft Outlook users on Windows may use Gpg4win, which provides GnuPG and graphical interfaces for key management, including some limited integration with Microsoft Outlook email clients. You may obtain Gpg4win here.

Thunderbird users on any platform (Windows, Mac, and Linux) may also use Enigmail as a graphical interface to GnuPG. You may obtain Enigmail here, and Thunderbird here. A tutorial for using Enigmail and Thunderbird from the FSF is also available.

Linux users may also use KMail, which contains integration with GnuPG through the Kleopatra and KGpg programs. KMail may be obtained from your distribution repositories.

Symantec Desktop Email Encryption

Symantec offers a range of PGP products, including Symantec Desktop Email Encryption. Symantec offers a free 30-day trial period. You may obtain the software from the Symantec Desktop Email Encryption page.