Setting up shared access to gpg on a UNIX server

DUELL, BOB bd9439 at att.com
Thu Jan 30 02:14:17 CET 2014 

Hi,

I'm looking for advice and comments about how I have set up a "shared" environment on our UNIX server for gpg operations.  What I have certainly works but I thought I'd ask for any comments, suggestions, or criticism.

I have gpg version 1.4.14 installed on my server.

I have a large number of users who exchange encrypted files with external vendors.  Users in my group come and go all the time.  On my server, I created a directory named /opt/app/apps/dbmprod/gpg and set the permissions to global access (777).  In that directory, I created a gpg instance and created a "group" key without a passphrase (DBMktg).  The public key is sent to each vendor as an email attachment when we establish the file exchange procedure.

I also added the public keys from all our vendors.  I set the permission on all the files in this directory to allow global "read" access (744). 

Set up this way, any use on the system can decrypt a file intended for use using a command like this:

gpg --homedir /opt/app/apps/dbmprod/gpg --batch --no-tty --quiet 
    --local-user "DBMktg"
    --output <output-file>
    --decrypt <input-file>

And to encrypt a file to a particular vendor, we use this:

gpg --homedir /opt/app/apps/dbmprod/gpg --batch 
    --recipient <vendor-ID>
    --encrypt <input-file>

As I said, this has worked well for use for several years. The main advantage is that I don't need to teach any of the other users about gpg and have a central point to contain all the keys from the many vendors we support.  I only need to show users the above two command sequences and they can go on about their business.

I suppose that my use of a private key without a passphrase might be of some concern, but I never figured out a better way to do this.  In other words, if the single key required a passphrase, I'd have to give out that passphrase to everyone, so what would be the point?

I will appreciate any and all comments.  If there is a "better way" to do this, I'd love to learn.

Bob

More information about the Gnupg-users mailing list