Key Pair Details Page Overview

Prerequisites
You’re familiar with the process of generating key pairs or importing them.
You’re familiar with Email Key Manager.
You’re familiar with the Client Configuration options.

When you click on the fingerprint of the key and open the Key Pair Details page, you’ll find different kinds of important information about the key pair:

enterprise eap usage key pairs manage keys details overview open key details page

Some of this information is stored within keys, while another part is stored in a database. Further in this guide, you’ll find detailed explanations about the information displayed on this page, which is arranged in five different sections.

Key pair data section

The first section is based on the data stored within the key pair:

In that section, you’ll find the following fields:

Key pair type: When you generate keys using FlowCrypt, we use PGP encryption (OpenPGP standard) by default. There is also another S/MIME encryption type that isn’t currently supported when generating keys, but users can import such keys to send and receive S/MIME-encrypted emails.
Status: This field displays the status of the key and can have three values: valid, revoked, and expired. If the key is valid, you can assign it to a user, but if it’s revoked, it’s not usable for encryption or signing anymore. In case the key is expired, you just need to extend its expiration date.
Fingerprint: The fingerprint of your public key. For more information about this topic, please refer to the Manual Public Key Management guide.
Superseded by: The OpenPGP standard supports a key rotation (for security purposes) to replace old keys with new ones with the same parameters. By default, you’ll see a “No Key Pair supersedes this one” message here, but if the key pair has been rotated, it will show the fingerprint of your new key pair.
Supersedes: Shows if your key supersedes any key pair. If it doesn’t, this field will display the “Does not supersede any other Key Pair” message. Otherwise, it will display the fingerprint of the old superseded key pair.
Subkey fingerprint: When you generate keys using any FlowCrypt product, it actually generates two key pairs: a primary key that will be used for digital signatures, and a subkey for encryption, which is bounded to your primary key. This field displays the fingerprint of your subkey.
User ID email: Here, you set the email address of the key owner. In the case of newly generated keys, this field will display only one email address marked as “Primary”. Besides the primary email address (user), there can also be addresses marked as “Secondary” for the user’s email aliases. For more details about how to manage the list of key users, please refer to the Manage User IDs guide.
Algorithm: Displays the cryptographic algorithm used in your key pair. To learn more about the algorithms used by FlowCrypt, please read our Cryptographic Algorithms guide.
Created: The creation date of the key pair.
Expiration: The expiration date of your key pair. See how to manage the key expiration date.
Revocation: Revoking a key pair prevents it from being used for encryption. It will still remain in your database, but it won’t be available for future encryption operations anymore.
Last valid signature: The date when the key was last updated as a result of performing an operation that affects the data within the key pair. Don’t confuse this field with the Updated field in the Database parameters section, which displays the date of the last key update resulting from performing any operation that updates keys, as some operations don’t affect the data within keys.
Usability: Using FlowCrypt, you can perform two operations with key pair: encryption and signing. This field shows which of these operations is available for the key pair.

All FlowCrypt products generate keys for both encryption and signing operations. But if you have sign-only or encryption-only key pair, you can import and use it.

Key backup section

After the Key pair data section, there is a Key backup section, which serves as a backup option:

enterprise eap usage key pairs manage keys details overview public key section

Here, you can copy the public key of the user or download both keys in case you need to send them to the user in a file.

Key pair history section

In this section, you can track any changes made with the key:

It can include two types of operations: add and mod (modification). By clicking on items in this table, you can view the details of the key at the moment of its corresponding update.

Database parameters section

This section displays additional information about keys:

It includes the following fields:

Domain: The domain of the primary email address.
Source: This field displays the source where the key pair was generated. Those sources are:
- Admin Panel: The most common source type. You’ll see it if the key pair was generated or imported via the Enterprise Admin Panel.
- Mail User Agent: As a rule, key pairs appear on the Enterprise Admin Panel if they were generated or imported manually there. However, we also provide an option that allows end-users to import key pairs generated on other platforms through our browser extension, and they’ll automatically appear on the Enterprise Admin Panel. If you want to allow your users to do so, you need to exclude the PRV_AUTOIMPORT_OR_AUTOGEN Client Configuration flag. Otherwise, they can use only keys generated by the FlowCrypt Email Key Manager. Please refer to the Add Domain Configuration and Edit Domain Configuration guides to learn how your set or edit Client Configurations.
- Orchestrator: This source type will be displayed in cases where the Orchestrator applied any Automatic Lifecycle Action on the key pair.
- Keygen script: We provide a Keygen option to pre-generate keys using a CLI command. Please read about the --gen-private-keys flag for more details about how to use it.
Inserted: Displays the date when keys were inserted into the Enterprise Admin Panel.
Inserted by: Displays the email address of the user who inserted the key.
Updated: The date when the key was last updated as a result of performing any operation, regardless of whether it updated the data within the key or not.
Updated by: Displays the email address of the user who updated the key.
WKD Push Sync Status: Displays if the key is synced with your Web Key Directory server or not. If it’s not synced, you’ll see a “Pending since N date” message. In such cases, you should click the Re-sync button or it will be automatically updated shortly after.
Associated users: Displays the number of users associated with the key pair and can fetch the private key of that key pair.
Automatic lifecycle actions: Shows if this option is enabled. It lets you rotate keys or extend the expiration date automatically.

Associated users section

When a user signs into an account on any client (browser or mobile apps) it checks if there are private keys for the user on Email Key Manager. In this section, you define the list of users who can fetch the private key:

Additionally, this section shows the history of associated users. Please refer to the Manage Associated Users guide for more detailed instructions about this topic.

What’s next? Explore the guides in the Key Pair Details sidebar section to learn about the operations you can perform with your keys from the corresponding page.