Corporate use of gnupg

David Shaw dshaw at
Sun Feb 10 20:57:26 CET 2008

On Wed, Feb 06, 2008 at 11:35:14AM -0800, Texaskilt wrote:
> Apologies if this has already been asked.  Honestly, I did my homework and
> looked in the archives!
> I am wanting to setup up users to use GnuPG for encrypting email, mainly for
> internal e-mail.
> Unfortunately, the "powers-that-be" want everyone that encrypts an email to
> also encrypt it to the "corporate secret key".  Their reasoning is that if a
> person leaves, they want to have access to the old emails in case there is a
> "business critical" email in there.

This is essentially the rationale behind the "ADK" (additional
decryption key) feature of PGP.

> Is there a way to "force" users to encrypt to a corporate key, in addition
> to the receipient's key?

It depends on how strong the term "force" is.  Even in PGP, the ADK
system can be circumvented if the person tries hard enough.

If you trust your employees to not hack you, then you can just stick a
"encrypt-to (the keyid)" in everyone's gpg.conf file and give everyone
a copy of the corporate public key.

Note that this isn't safe because of the crypto math.  It's "safe"
because you can fire people that don't do it ;)


More information about the Gnupg-users mailing list