IT Department having the secure key.

David Shaw dshaw at JABBERWOCKY.COM
Mon Jul 27 16:33:23 CEST 2009 

On Jul 27, 2009, at 5:25 AM, arcintl wrote:

> i wish to setup GNUpg for my work (i am the IT Administrator) but i  
> have a
> few questions.
>
> First: if the user creates a key and then leaves the company. assuming
> he/she didnt tell anyone the pass phrase and was the only key used,  
> are
> those files locked for ever?

If "locked" you mean "unavailable to anyone other than a keyholder"  
then yes, they are effectively locked forever.

(Assuming you mean that the user actually encrypted the files - just  
creating a key doesn't encrypt files, of course).

> if this is so my idea was the IT department (i.e. me) create the  
> keys for
> all my users and use a complete random password for all, then backup  
> those
> keys. then issue them to the user and allow them to change the pass  
> phrase
> to something they prefer. then if the user leaves we can use the  
> originally
> backed up key with the original password to decrypt the files they
> encrypted.
>
> will this work? i know it may sound like a security risk and ruin  
> the whole
> point of encrypting in the first place but this is the only way i  
> can think
> of safe gaurding the companies data (not users data).

This will work (it's basically key escrow).  It's a risk (keep track  
of your backups!), but everything carries some level of risk.  The  
trick is to manage your level of risk to what you are comfortable with.

Note that schemes like this presume an honest user from the start.   
They are not effective against a malicious employe who wants to cause  
harm (which is not necessarily an issue, but worth mentioning).

> Also have another question.
>
> if a users key is compromised i.e. someone knows their pass phrase.  
> should
> the user just change the pass phrase or should a new key be generated?

It depends.  If only the passphrase is compromised (i.e. the attacker  
didn't get the key file also) then changing the passphrase is  
sufficient.  If the attacker got both the key and the passphrase, then  
a new key must be generated.  The problem here (alas) is that it is  
often difficult to tell whether an attacker got just the passphrase,  
just the key file, or both.  It's often easier and more prudent to  
assume that if the attacker got anything, they got both.

David

More information about the Gnupg-users mailing list