Group use of keys
Aleksandar Milivojevic
amilivojevic at pbl.ca
Mon Nov 22 18:46:08 CET 2004
Mike Edwards wrote:
> Hi! I have a public key that I share with our customers and the secret
> is on my keyring. I have another person in my department that needs to
> be able to decrypt files sent by our customers that have been encoded
> with my public key. IOW, we want a single public key with either a
> shared secret or separate secret keys for the same public key. Are
> either scenarios possible?
You would have to share secret key. It would be best not to use
personal key for this, because you will need to give it to your
co-worker. That means he can decrypt everyhting, and sign anything with
it. Create a new key for group usage. Basically, there is "real"
difference between personal and group key other than possibly in the key
ID (peronal would say "Bob", group would say "Tech Support", or "Foobar
Inc").
The way how to share it depends on the installation and your comfort
level. If you will be using same computer, you can place it in separate
keyrings (for public and private key), and include those keyrings from
GnuPG configuration file (I think config options for including public
and secret keyrings are not the same). Make sure file permissions on
keyrings are such that only you and your co-worker can access additional
secret keyring.
If two of you are using separate computers, you can share that directory
on the network (NFS, windows share) and go with previous solution. But
this is generally very bad idea (from security point of view). Sharing
secret key is bad idea to begin with. Sharing them over network file
systems is probably the most insecure way of doing it. Better idea
would be to copy needed secret and public keys into your co-workers
keyring. He can than set his own passphrase for that key, so he doesn't
know your passphrase, and you don't know his passphrase.
In both cases, since there will be multiple secret keys in the keyrings,
it is good idea to specify which one is default key for signing in GnuPG
configuration file (depending on work requirements, that would either be
personal or group key). If you don't specify default secret key, GnuPG
will simply use first that if finds (something you shouldn't rely on).
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the Gnupg-users
mailing list