Group use of keys

Aleksandar Milivojevic amilivojevic at pbl.ca
Mon Nov 22 18:46:08 CET 2004


Mike Edwards wrote:
> Hi!  I have a public key that I share with our customers and the secret 
> is on my keyring.  I have another person in my department that needs to 
> be able to decrypt files sent by our customers that have been encoded 
> with my public key.  IOW, we want a single public key with either a 
> shared secret or separate secret keys for the same public key.  Are 
> either scenarios possible?

You would have to share secret key.  It would be best not to use 
personal key for this, because you will need to give it to your 
co-worker.  That means he can decrypt everyhting, and sign anything with 
it.  Create a new key for group usage.  Basically, there is "real" 
difference between personal and group key other than possibly in the key 
ID (peronal would say "Bob", group would say "Tech Support", or "Foobar 
Inc").

The way how to share it depends on the installation and your comfort 
level.  If you will be using same computer, you can place it in separate 
keyrings (for public and private key), and include those keyrings from 
GnuPG configuration file (I think config options for including public 
and secret keyrings are not the same).  Make sure file permissions on 
keyrings are such that only you and your co-worker can access additional 
secret keyring.

If two of you are using separate computers, you can share that directory 
on the network (NFS, windows share) and go with previous solution.  But 
this is generally very bad idea (from security point of view).  Sharing 
secret key is bad idea to begin with.  Sharing them over network file 
systems is probably the most insecure way of doing it.  Better idea 
would be to copy needed secret and public keys into your co-workers 
keyring.  He can than set his own passphrase for that key, so he doesn't 
know your passphrase, and you don't know his passphrase.

In both cases, since there will be multiple secret keys in the keyrings, 
it is good idea to specify which one is default key for signing in GnuPG 
configuration file (depending on work requirements, that would either be 
personal or group key).  If you don't specify default secret key, GnuPG 
will simply use first that if finds (something you shouldn't rely on).

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7



More information about the Gnupg-users mailing list