On 10/06/2010 01:19 PM, Benjamin Bressman wrote: > If I use GnuPG to encrypt a file with multiple keys is it possible to > remove one of those keys at a later date?
it's possible, but it's a bit clumsy. you could use gpgsplit to handle the situation: mkdir cleandir cd cleandir gpgsplit < $message rm 00000X-001.pk_enc (make sure this is the one you want to remove!) cat * > $message if you're not sure which pk_enc packet is the one you want, you can see which key belongs to which with gpg --list-packets. If $keyID is the 16 hex-digit ID you want to strip out, then the following should work: for foo in *-001.pk_enc ; do if [ "$keyID" = \ $( gpg --list-packets < $foo | grep ^:pubkey | sed 's/.*keyid //' ) ]; then rm "$foo" fi done (these scripts are untested -- please test and verify before using them in production!) > Let's say I encrypt sensitive information so that three users could > decrypt it, but one of those users leaves the organization at some > point. Could I just remove that key's access to the file, or would I > need to decrypt the file and then re-encrypt it with only the desired keys? you could also do this, though it would require you knowing one of the keys. note that neither method will protect you if the user in question has a local copy of the encrypted file that still has the old info. > I'm assuming the file encryption is symmetric using a "random" key, and > then that "random" key is encrypted asymmetrically once for each of the > multiple keys, but let me know if that's not the case. yes, this is right. What you're calling the "random" key is known as the session key. Each of the *-001.pk_enc is a "Public-Key Encrypted Session Key Packet": http://tools.ietf.org/html/rfc4880#section-5.1 hth, --dkg
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users