Setting up shared access to gpg on a UNIX server
bd9439 at att.com
Thu Jan 30 02:14:17 CET 2014
I'm looking for advice and comments about how I have set up a "shared" environment on our UNIX server for gpg operations. What I have certainly works but I thought I'd ask for any comments, suggestions, or criticism.
I have gpg version 1.4.14 installed on my server.
I have a large number of users who exchange encrypted files with external vendors. Users in my group come and go all the time. On my server, I created a directory named /opt/app/apps/dbmprod/gpg and set the permissions to global access (777). In that directory, I created a gpg instance and created a "group" key without a passphrase (DBMktg). The public key is sent to each vendor as an email attachment when we establish the file exchange procedure.
I also added the public keys from all our vendors. I set the permission on all the files in this directory to allow global "read" access (744).
Set up this way, any use on the system can decrypt a file intended for use using a command like this:
gpg --homedir /opt/app/apps/dbmprod/gpg --batch --no-tty --quiet
And to encrypt a file to a particular vendor, we use this:
gpg --homedir /opt/app/apps/dbmprod/gpg --batch
As I said, this has worked well for use for several years. The main advantage is that I don't need to teach any of the other users about gpg and have a central point to contain all the keys from the many vendors we support. I only need to show users the above two command sequences and they can go on about their business.
I suppose that my use of a private key without a passphrase might be of some concern, but I never figured out a better way to do this. In other words, if the single key required a passphrase, I'd have to give out that passphrase to everyone, so what would be the point?
I will appreciate any and all comments. If there is a "better way" to do this, I'd love to learn.
More information about the Gnupg-users