GnuPG in the enterprise

Roland Smith rsmith at
Thu Jun 16 17:42:17 GMT 2005

On Thu, Jun 16, 2005 at 11:19:19AM -0500, Tony Shadwick wrote:
> Just so I'm following then, let's say I have gnupg installed on my server, 
> and I'm creating all of my employee's secret keys there, then installing 
> gnupg on their workstations so that they can use local mail clients to 
> encrypt.
> What's to prevent them from chaning their secret key passphrase or 
> revoking the key themselves and creating a new public key, then publishing 
> that to the keyservers? (Other than knowing enough about gnupg in the 
> first place to do any of this of course...)

Change the ownership of the files in the .gnupg directory. Make them
owned by user root and the user's individual group. Chmod gpg.conf and
secring.gpg to 440. The other files can be 460.

> Not to mention I've always wondering how gnupg plays with multiple 
> recipients or internal company mailing lists.  For example if I send a 
> message to VIP1, VIP2, and VIP3, and it is an important internal document 
> that requires encryption, when I encrypt the message, won't it get 
> encrypted with VIP'1 public key, thus VIP2 and VIP3 won't be able to open 
> the message?

Set up a named group in the keyring, that contains all the users in the
mailing list. Or use pgpewrap, it comes with mutt, I think.
R.F.Smith ( Please send e-mail as plain text.
public key:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url :

More information about the freebsd-questions mailing list