Split private key in order to share among users

Alexander Kriegisch alexander at kriegisch.name
Sun Dec 20 07:49:19 CET 2020


The original PGP used to have this feature around 20 years ago already,
maybe some people remember. In the list archive I found two threads,
both several years old, asking about this feature in GnuPG, but there
were no conclusive answers, only workaround suggestions like to split
the binary or ASCII key file or print the password and share parts of
the passwords, neither of which satisfy the original requirements
covered by the original PGP functionality. Example:

I split a private key file with PGP into these shares:
  -- User A gets a piece of key worth 2 shares.
  -- User B gets a piece of key worth 2 shares.
  -- User C gets a piece of key worth 1 share.
  -- User D gets a piece of key worth 1 share.
  -- User E gets a piece of key worth 1 share.
  -- User F gets a piece of key worth 1 share.

I define that at least 5 shares are necessary to re-assemble a valid
decryption key, i.e. we need for example
  -- A + B + one other user
  -- C + D + E + either A or B
for decryption.

I.e. neither the 4 minor nor the 2 major users alone can decrypt, we
need at least 3 of 6 users and a majority of shares in order to decrypt.
I remember I used to use this in the past and it worked flawlessly. I
have no idea why this killer feature was omitted when implementing
GnuPG. But maybe I am missing something in the documentation. If anyone
knows how to do this using GnuPG or an alternative open source product,
I would like to hear about it. Please do not suggest inadequate
workarounds like the ones I mentioned above and which previously have
been discussed here yet.

Regards
-- 
Alexander Kriegisch
https://scrum-master.de



More information about the Gnupg-users mailing list