Automation advice wanted

David Shaw dshaw at
Fri Dec 16 05:12:11 CET 2005

On Thu, Dec 08, 2005 at 09:59:42AM -0800, Duell, Bob wrote:

> I am considering creating a "public" keyring for our group, one into
> which I can import the keys for "registered" recipients.  I can define
> the "public" keyring directory and file as global read/execute; users
> would refer to the public ring using the "-keyring" option.  One in our 
> group would be the designated "key master", responsible for maintaining
> the keyring.

This is a reasonable thing to do.

> Although I've read about keyservers, I'm not sure we can use them here.
> At any rate, I'm looking for a very simple solution.
> I'd also like to create a master keypair for the group, a single key
> that can be use by everyone sending files to us.  I was thinking a UNIX
> script could be used to handle signing and decryption, thereby
> preserving the secrecy of the passphrase.

This can be reasonable in some circumstances, but also can be risky -
it's hard to hide a passphrase in a script that way.  Also, how do you
plan to prevent people just copying the script, key, passphrase, and

It's hard to suggest an alternative without knowing more about what
you're trying to do.  Is there actually a need for encryption once the
data in question is on-site, or is it just a transit issue?  Would it
be acceptable for one person to own the master key and decrypt and
then re-encrypt to a list of individual keys for your internal users?


More information about the Gnupg-users mailing list