GPG and PCI requirement 3.6.6

Chip Ross cross at
Wed Nov 9 20:12:31 CET 2016

Does anyone have any suggestions on how to handle split knowledge and dual control for PCI 3.6.6, using GPG?


Here is the PCI requirement and guidance:


PCI DSS Requirements 

Testing Procedures 


3.6.6 If manual clear-text cryptographic key-management operations are used, these operations must be managed using split knowledge and dual control. 

Note: Examples of manual key-management operations include, but are not limited to: key generation, transmission, loading, storage and destruction. 

3.6.6.a Verify that manual clear-text key-management procedures specify processes for the use of the following: 

 Split knowledge of keys, such that key components are under the control of at least two people who only have knowledge of their own key components; AND 

 Dual control of keys, such that at least two people are required to perform any key-management operations and no one person has access to the authentication materials (for example, passwords or keys) of another. 


Split knowledge and dual control of keys are used to eliminate the possibility of one person having access to the whole key. This control is applicable for manual key-management operations, or where key management is not implemented by the encryption product. 

Split knowledge is a method in which two or more people separately have key components, where each person knows only their own key component, and the individual key components convey no knowledge of the original cryptographic key. 

Dual control requires two or more people to perform a function, and no single person can access or use the authentication materials of another. 

3.6.6 b Interview personnel and/or observe processes to verify that manual clear-text keys are managed with: 

 Split knowledge, AND 

 Dual control 



Any help is appreciated. Thanks.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20161109/b2751937/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5048 bytes
Desc: not available
URL: </pipermail/attachments/20161109/b2751937/attachment.bin>

More information about the Gnupg-users mailing list