Multiple Subkeys/UIDs

Grimes, Dean DGRIMES at scvl.com
Mon Mar 21 20:28:30 CET 2005


I have been searching the mail archives for a while but have not yet found
any discussion related to the situation I have. I'm new to GnuPG and data
encryption in general so if some of my ideas or thoughts go completely
against common sense then.....

Anyway here is my situation. I have about 300 remote locations totaling
around 500 servers out in the field. There are several data files that we
collect on a daily basis that, even though we are dialup to these locations,
we want to begin encrypting them for transfer and storage. All of these
files come back to a central location where they will need to be decrypted
for processing and the encrypted file placed in a storage location. All of
this must happen in an automated scripted environment. This much I've
figured out how to do.

We also have a support department that will from time to time need to
decrypt one or more of these files in order to track down problems or answer
questions related to the data in the files. What I was hoping to be able to
do was create encrypt only keys at the remote locations and all locations
would use these keys for encrypting their data. My problem is having to give
the support department the master keys to decrypt the data. This isn't a
problem until some leaves the company.

What I would like to do is to assign a key to a specific user that they
would use to decrypt a file by. It would have a unique pass phrase
associated with it that only that user would know. This would be generated
by Operations department and assigned to the user. The user would be able to
decrypt only the files that were encrypted with a particular key. Multiple
users would be able to decrypt a single file using their assigned decryption
key and pass phrase. If a user leaves the company their key would be
revoked/deleted but they would never have had access to the master key. All
of the other users would still be able to use the keys that were assigned to
them.

Is this possible to do with GnuPG? It wise to do something like this? Is
there anyone else besides me who has this situation or one similar? If so,
how did you/they solve the problem? Any help would be greatly appreciated.

Thanks,
Dean



More information about the Gnupg-users mailing list