Partial/fragmented decryption keys
Wiktor Kwapisiewicz
wiktor at metacode.biz
Mon Dec 9 21:40:27 CET 2019
Hi,
> I recall from the early days of PGP that there was a way to create a corporate key, fragmented into a certain number of potions, which would require some quorum to be able to perform decryption. I pored over the GnuPG documentation but could not find an equivalent. Perhaps I?m just getting the terminology wrong. Is this still possible in OpenPGP and therefore in GnuPG?
It is indeed not implemented in GnuPG.
In case you're curious on how does it work in Symantec PGP here's the
description:
https://support.symantec.com/us/en/article.HOWTO42097.html
and a video tutorial: https://www.youtube.com/watch?v=Q_Mpa8TOhU0
Symantec recommends this feature for "extremely high security keys" by
which I guess they mean designated revoker key or additional decryption
key. Their implementation seems to bring all private keys to one trusted
computer to reconstruct the combined key.
As others mentioned there is a flag for marking an OpenPGP key as
"split" in the spec so theoretically it could implemented in free software.
One project that's close is DKGPG but mind that it "should NOT be used
in production environments". Check out the following links:
http://nongnu.org/dkgpg/
http://www.nongnu.org/libtmcg/kryptotag26_stamer_slides.pdf
Hope this helps!
Kind regards,
Wiktor
--
https://metacode.biz/@wiktor
More information about the Gnupg-users
mailing list