|
⇤ ← Revision 1 as of 2016-06-17 09:48:14
Size: 1477
Comment: Notes about a centralized pubring setup.
|
Size: 1198
Comment: Remove trustdb from config this will break when generating keys.
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 2: | Line 2: |
| In institutions it may be useful to centralize key management so that only administrators can edit the public keyring or modify the trustdb. | In institutions it may be useful to centralize key management so that only administrators can edit the public keyring. |
| Line 13: | Line 13: |
| trustdb-name \\networkshare\folder\trustdb.gpg | |
| Line 32: | Line 31: |
To centralize trust management you may want to set the Ownertrust to Ultimate for the public keys of your gpg-admins. So that a key signed by a gpg-admin is autmatically trustworthy for all other users. |
Central keyring (gnupg-2.0.x)
In institutions it may be useful to centralize key management so that only administrators can edit the public keyring.
To set this up:
- Create a new user group "gpg-admins"
- Create a shared folder (e.g. a network share) that is readable for everyone but writable only for gpg-admins
- Create a gpg.conf in that folder file with the following content:
no-default-keyring primary-keyring \\networkshare\folder\\pubring.gpg keyring \\networkshare\folder\pubring.gpg lock-never
Optionally add secret-keyring \\networkshare\folder\secring.gpg
lock-never may lead to errors when multiple users are trying to modify the keyring at the same time. Remove that option in the config files of your gpg-admins if you have multiple admins.
- Place the config file into %APPDATA%\gnupg
- Import key / Edit Trust as admin.
- Deploy the config file to your users. This may be done with a login script containing:
mkdir %APPDATA%\gnupg copy \\networkshare\folder\gpg.conf %APPDATA%\gnupg
And done. Your users can now read access the central pubring and all will see the same public keyring.