IT Department having the secure key.

Faramir at
Mon Jul 27 19:50:11 CEST 2009

Hash: SHA256

arcintl escribió:
> First: if the user creates a key and then leaves the company. assuming
> he/she didnt tell anyone the pass phrase and was the only key used, are
> those files locked for ever?

  Right, without access to the secret key, it is not possible to decrypt
the files.

> if this is so my idea was the IT department (i.e. me) create the keys for
> all my users and use a complete random password for all, then backup those
> keys. then issue them to the user and allow them to change the pass phrase
> to something they prefer. then if the user leaves we can use the originally
> backed up key with the original password to decrypt the files they
> encrypted.

  I think that is called key escrow. To prevent abuse on the backup,
maybe you can keep it encrypted with symmetric encryption, and maybe use
a secret sharing scheme, like Shamir's Secret Sharing Scheme

  Take a look at and at

> will this work? i know it may sound like a security risk and ruin the whole
> point of encrypting in the first place but this is the only way i can think
> of safe gaurding the companies data (not users data).

  Well, I think while the backup is stored safely, it would not be too
risky... but what if the one knowing the passphrase of the backup leaves
the company? That's why I suggested using something like SSSS.

> Also have another question.
> if a users key is compromised i.e. someone knows their pass phrase. should
> the user just change the pass phrase or should a new key be generated? and
> if a new key is needed will all the files that were encrypted with the old
> key be in danger of be decrypted or be totally useless without the old key?

  I think (but I may be wrong) that it is suggested to revoke the key
and generate a new one, just in case.

  By the way, it is a good idea to don't delete revoked keys, they will
be needed to decrypt files (or messages) encrypted to that old key...

  Best Regards
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


More information about the Gnupg-users mailing list