Hi,
I'm looking for advice and comments about how I have set up a "shared"
environment on our UNIX server for gpg operations. What I have certainly works
but I thought I'd ask for any comments, suggestions, or criticism.
I have gpg version 1.4.14 installed on my server.
I have a large number of users who exchange encrypted files with external
vendors. Users in my group come and go all the time. On my server, I created
a directory named /opt/app/apps/dbmprod/gpg and set the permissions to global
access (777). In that directory, I created a gpg instance and created a
"group" key without a passphrase (DBMktg). The public key is sent to each
vendor as an email attachment when we establish the file exchange procedure.
I also added the public keys from all our vendors. I set the permission on all
the files in this directory to allow global "read" access (744).
Set up this way, any use on the system can decrypt a file intended for use
using a command like this:
gpg --homedir /opt/app/apps/dbmprod/gpg --batch --no-tty --quiet
--local-user "DBMktg"
--output <output-file>
--decrypt <input-file>
And to encrypt a file to a particular vendor, we use this:
gpg --homedir /opt/app/apps/dbmprod/gpg --batch
--recipient <vendor-ID>
--encrypt <input-file>
As I said, this has worked well for use for several years. The main advantage
is that I don't need to teach any of the other users about gpg and have a
central point to contain all the keys from the many vendors we support. I only
need to show users the above two command sequences and they can go on about
their business.
I suppose that my use of a private key without a passphrase might be of some
concern, but I never figured out a better way to do this. In other words, if
the single key required a passphrase, I'd have to give out that passphrase to
everyone, so what would be the point?
I will appreciate any and all comments. If there is a "better way" to do this,
I'd love to learn.
Bob
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
