IT Department having the secure key.

arcintl michael.griffiths at
Sun Jul 26 18:26:41 CEST 2009

i wish to setup GNUpg for my work (i am the IT Administrator) but i have a
few questions.

First: if the user creates a key and then leaves the company. assuming
he/she didnt tell anyone the pass phrase and was the only key used, are
those files locked for ever?

if this is so my idea was the IT department (i.e. me) create the keys for
all my users and use a complete random password for all, then backup those
keys. then issue them to the user and allow them to change the pass phrase
to something they prefer. then if the user leaves we can use the originally
backed up key with the original password to decrypt the files they

will this work? i know it may sound like a security risk and ruin the whole
point of encrypting in the first place but this is the only way i can think
of safe gaurding the companies data (not users data).

Also have another question.

if a users key is compromised i.e. someone knows their pass phrase. should
the user just change the pass phrase or should a new key be generated? and
if a new key is needed will all the files that were encrypted with the old
key be in danger of be decrypted or be totally useless without the old key?

Sorry if this has been answered before or a dumb question. i am new to this
View this message in context:
Sent from the GnuPG - User mailing list archive at

More information about the Gnupg-users mailing list