Mailman-pgp stores PGP keys in ASCII-Armored files in directories. The [keydirs] section of the config specifies three directories, one for list keypairs, one for user public keys(per-address) and one for list archive public keys.

List keypairs

Mailman-pgp can be configured to generate the list keypair on PGP enabled list creation. This is done via the [keypairs].autogenerate option.

The type and size of the key and subkey that is generated is also configurable, via the [keypairs].primary_key and .sub_key options. The options are listed in the src/mailman_pgp/config/mailman_pgp.cfg config file and also in the Configuration docs.

Mailman-pgp generates keys that look like so:

pub   secp256k1/0x651AD9483EB388DD 2017-08-21 [SC]
      Key fingerprint = 2767 BEE0 E502 00DA 4A2F  131E 651A D948 3EB3 88DD
uid                             Name <>
uid                             Name <>
sub   secp256k1/0x5D972B21F6D1C7D7 2017-08-21 [E]

For a list called name at the domain, with the ECDSA and ECDH algorithms over secp256k1 , respectively.

As the list keypair is stored as an ASCII-Armored text file in the [keydirs].list_keydir directory, named <list-id>.asc , replacing it with a custom keypair just works. However, doing so to an established mailing list with subscribers, might confuse them, and if they still encrypt to the old key, mailman-pgp will bounce their messages.

Mailman-pgp can delete and or shred the list keypair on list deletion, this is also configured in the [keypairs] config section, via shred, shred_command and delete options.