Questions about "--group" for group encryptions.

John W. Moore III jmoore3rd at
Sat Feb 20 05:31:50 CET 2010

Hash: SHA512

Zy Zylek wrote:
> I'm looking for a way to include a group of people in gpg file
> encryption/decryption (not email-based, just gpg encrypted files)
> without having to incorporate individual names, yet also such that more
> people can be added to the group in the future and that they will be
> able to access previously encrypted files because they joined the group
> after the old files were encrypted.

> I found on a google search the following information someone provided
> regarding adding a line to the gpg.conf file:
> *group name_you_want_to_use = keyid1 keyid2 keyid3 keyid4*
> That is a little confusing.
> Does that mean that people with their own individual keys can be added
> or removed from the group?


> Does the group have its own key?

No, in this instance the File, Email, etc. is encrypted to each of the
Keys listed in the Group Line.

> If an individual's key is in the group then can they decrypt files that
> have been encrypted before they joined the group using the "group key"
> as recipient?

No.  There is _no_ Group Key.  An individual can only decrypt those
Files encrypted to their Public Key so it must be present in the Group
Line at the time of Encryption.

> But if their key has been removed from the group then can they still
> decrypt previous files that were encrypted using the "group key" as
> recipient?

See Above.  Again, there is NO Group Key.  Files are encrypted to every
Key specified at the time of Encryption in the gpg.conf 'Group Line'.

> If I add people to a group via gpg.conf (using the line in bold type
> font above), and if I later want to add only one person to the group,
> can I add them with the gpg command with option "--group name=value1" or
> must I re-enter all of the previous keys in addition to the new one?

Just add their Key ID to the end of the existing Line.  Alternatively,
if/when they leave the Group simply remove their Key ID from the 'Group

> If I want to remove only one person from the group, can I do that with
> either the gpg command and "--ungroup name" or alternately remove their
> key/name from the line in the gpg.conf file?

See previous answer.

> Do I have to add their public key to my keyring before I can add their
> key to the group?

Yes.  If You do not have their Key in Your Keyring there is no Key to
encrypt to.

Additionally, unless You also have the --trust-model always flag set
then You will need to lsign each Key in the Group Line to prevent GPG
from asking You if You really want to encrypt to each 'untrusted Key'

> If a "group key" (a singular "group recipient") can be created through
> either "--group" or the group line in the gpg.conf, and if I create a
> group, then will only I have administrative control over who is
> added/removed from the group, or will anybody in the group be able to
> add/remove anybody from the group?

Additions & Subtractions from the Group Encryption will need to be
managed by _every_ individual Encrypting to the Group.

A 'Group Key' is generally recognized as a single Keypair that every
Member of the Group has both the Public & Private part.  With a 'Group
Key' everyone Encrypts to and Decrypts with the Group Keypair.

Timestamp: Friday 19 Feb 2010, 23:31  --500 (Eastern Standard Time)
Version: GnuPG v1.4.10 (MingW32)
Comment: Public Key at:
Comment: Gossamer Spider Web of Trust:
Comment: Personal Web Page:


More information about the Gnupg-users mailing list