Setting up shared access to gpg on a UNIX server

Wed, 29 Jan 2014 18:07:34 -0800 

Hi,

I'm looking for advice and comments about how I have set up a "shared" 
environment on our UNIX server for gpg operations.  What I have certainly works 
but I thought I'd ask for any comments, suggestions, or criticism.

I have gpg version 1.4.14 installed on my server.

I have a large number of users who exchange encrypted files with external 
vendors.  Users in my group come and go all the time.  On my server, I created 
a directory named /opt/app/apps/dbmprod/gpg and set the permissions to global 
access (777).  In that directory, I created a gpg instance and created a 
"group" key without a passphrase (DBMktg).  The public key is sent to each 
vendor as an email attachment when we establish the file exchange procedure.

I also added the public keys from all our vendors.  I set the permission on all 
the files in this directory to allow global "read" access (744). 

Set up this way, any use on the system can decrypt a file intended for use 
using a command like this:

gpg --homedir /opt/app/apps/dbmprod/gpg --batch --no-tty --quiet 
    --local-user "DBMktg"
    --output <output-file>
    --decrypt <input-file>

And to encrypt a file to a particular vendor, we use this:

gpg --homedir /opt/app/apps/dbmprod/gpg --batch 
    --recipient <vendor-ID>
    --encrypt <input-file>

As I said, this has worked well for use for several years. The main advantage 
is that I don't need to teach any of the other users about gpg and have a 
central point to contain all the keys from the many vendors we support.  I only 
need to show users the above two command sequences and they can go on about 
their business.

I suppose that my use of a private key without a passphrase might be of some 
concern, but I never figured out a better way to do this.  In other words, if 
the single key required a passphrase, I'd have to give out that passphrase to 
everyone, so what would be the point?

I will appreciate any and all comments.  If there is a "better way" to do this, 
I'd love to learn.

Bob


_______________________________________________
Gnupg-users mailing list
[email protected]
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to