IT Department having the secure key.
faramir.cl at gmail.com
Mon Jul 27 19:50:11 CEST 2009
-----BEGIN PGP SIGNED MESSAGE-----
> First: if the user creates a key and then leaves the company. assuming
> he/she didnt tell anyone the pass phrase and was the only key used, are
> those files locked for ever?
Right, without access to the secret key, it is not possible to decrypt
> if this is so my idea was the IT department (i.e. me) create the keys for
> all my users and use a complete random password for all, then backup those
> keys. then issue them to the user and allow them to change the pass phrase
> to something they prefer. then if the user leaves we can use the originally
> backed up key with the original password to decrypt the files they
I think that is called key escrow. To prevent abuse on the backup,
maybe you can keep it encrypted with symmetric encryption, and maybe use
a secret sharing scheme, like Shamir's Secret Sharing Scheme
Take a look at http://point-at-infinity.org/ssss/ and at
> will this work? i know it may sound like a security risk and ruin the whole
> point of encrypting in the first place but this is the only way i can think
> of safe gaurding the companies data (not users data).
Well, I think while the backup is stored safely, it would not be too
risky... but what if the one knowing the passphrase of the backup leaves
the company? That's why I suggested using something like SSSS.
> Also have another question.
> if a users key is compromised i.e. someone knows their pass phrase. should
> the user just change the pass phrase or should a new key be generated? and
> if a new key is needed will all the files that were encrypted with the old
> key be in danger of be decrypted or be totally useless without the old key?
I think (but I may be wrong) that it is suggested to revoke the key
and generate a new one, just in case.
By the way, it is a good idea to don't delete revoked keys, they will
be needed to decrypt files (or messages) encrypted to that old key...
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Gnupg-users