Add/remove recipient without re-encrypting

David Shaw dshaw at
Thu Feb 3 16:02:56 CET 2011

On Feb 3, 2011, at 9:38 AM, Alphazo wrote:

> Is it possible to add or remove a recipient to an already encrypted file and thus without re-encrypting the whole file?
> From what I understand GnuPG encrypts the payload (my binary file) with a symmetric session key. Then it stores each recipient key ID (optional) as well as an encrypted version of the session key using the public key of the recipient (asymmetric encryption).

You understand correctly.

> Assuming I own the private key of one the original recipient, could GnuPG decrypt the session key and add/remove new recipients to the existing file?

This is technically possible, but GnuPG doesn't have it as a feature.  You could use the 'gpgsplit' tool that comes with GnuPG to *remove* recipients by splitting the file into its packets, deleting the packet for the recipient you want to get rid of, and then using cat to put the packets together.  Adding new recipients is more difficult, though you could probably hack it into GnuPG if you really wanted it.


More information about the Gnupg-users mailing list