On Oct 6, 2010, at 1:19 PM, Benjamin Bressman wrote:
> If I use GnuPG to encrypt a file with multiple keys is it possible to
> remove one of those keys at a later date?
>
> Let's say I encrypt sensitive information so that three users could
> decrypt it, but one of those users leaves the organization at some
> point. Could I just remove that key's access to the file, or would I
> need to decrypt the file and then re-encrypt it with only the desired keys?
You can remove a single key's access to the file, but it might not work the way
you intended.
> I'm assuming the file encryption is symmetric using a "random" key, and
> then that "random" key is encrypted asymmetrically once for each of the
> multiple keys, but let me know if that's not the case.
That is correct.
An encrypted message consists of several OpenPGP packets, concatenated
together. So for example, if I encrypt a file to Alice, Baker, and Charlie's
keys, I'll end up with something that looks like this (somewhat simplified -
see RFC-4880 for the actual bits):
(session key encrypted to Alice) + (session key encrypted to Baker) +
(session key encrypted to Charlie) + (encrypted data)
If I wanted to remove Alice's access to the file, I could just strip off her
packet, thus leaving:
(session key encrypted to Baker) + (session key encrypted to Charlie) +
(encrypted data)
Now, Alice won't be able to decrypt that file. However (and this is the
potential gotcha), it does not affect any copies of the file that Alice already
has. So if you encrypt your data for three users, and one of those users makes
a copy of the encrypted file before you strip his access, that user can still
decrypt since he's working off a copy that still has the session key encrypted
to him.
Note that this isn't a problem specific to stripping a single key from a file.
The same problem exists when re-encrypting to the remaining people. Either
way, if Alice makes a copy before you strip or re-encrypt, she has the file and
can decrypt it.
David
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
