IT Department having the secure key.

David Shaw dshaw at JABBERWOCKY.COM
Mon Jul 27 16:34:12 CEST 2009


On Jul 27, 2009, at 8:29 AM, Daniel Kahn Gillmor wrote:

>> And: You can only encrypt the files for one key.  So only one user  
>> will have
>> access to the files (owns the files), as long as you don't share  
>> the keys.  For
>> example you can introduce company wide keys or deparmtement keys  
>> and distribute
>> them to anyone, who should have access.
>
> You actually can encrypt files to more than one OpenPGP key, so that
> anyone holding any of the recipient keys can decrypt the data.  Maybe
> this approach would be useful for the OP?
>
> If, as IT administrator, you have the opportunity to configure your
> users' ~/.gnupg/gpg.conf, you could add a line like
>
>  recipient 0xDEADBEEFDEADBEEF
>
> to specify that all encryptions will automatically be encrypted to a  
> key
> that you retain for the kind of emergency recovery scenarios you  
> describe.

I'd use "encrypt-to" instead of "recipient", but basically, yes, that  
will work.  It's a reasonably common solution for the problem.

This is similar in effect to PGP.com's additional decryption key (the  
ADK has better granularity as it works on a per-key basis, but the  
concept is the same).  However, note that this (and the ADK) both are  
only really effective with an honest user.  If a user wants to  
manipulate their key to remove the ADK (which is trivial) or edit  
their gpg.conf to remove the extra encrypt-to line, then you'd need a  
more central (and not under user control) way to guard against  
trouble.  For example, if we're just talking about email, you could  
tweak your mail server to check to see if the extra recipient was  
present and if not, reject the message, etc.  I believe the PGP folks  
have some variant of this ability, but you'd have to ask them for the  
details.

David




More information about the Gnupg-devel mailing list