|
Size: 1477
Comment: Notes about a centralized pubring setup.
|
← Revision 3 as of 2016-07-11 12:28:40 ⇥
Size: 906
Comment: Old solution was too fragile with access denied errors, better to leave the keyrings to the users and just import.
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| == Central keyring (gnupg-2.0.x) == In institutions it may be useful to centralize key management so that only administrators can edit the public keyring or modify the trustdb. |
== Central keyfile (gnupg-2.0.x) == In institutions it may be useful to centralize key management so that adminstrators can provide a set of certificates that are available for all users. |
| Line 8: | Line 8: |
| * Create a gpg.conf in that folder file with the following content: | * Launch Kleopatra and import all the certificates that are intended to be used. * Mark all keys with ctrl+a and use File->Export Certificates Create a file in your network share folder. |
| Line 10: | Line 11: |
| * Create a login script that is executed in the user environment | |
| Line 11: | Line 13: |
| no-default-keyring primary-keyring \\networkshare\folder\\pubring.gpg trustdb-name \\networkshare\folder\trustdb.gpg keyring \\networkshare\folder\pubring.gpg lock-never |
gpg2 --import //networkshare\pgpkeys.asc |
| Line 18: | Line 16: |
| Optionally add {{{secret-keyring \\networkshare\folder\secring.gpg}}} | Please not the forward slashes when importing the keys. |
| Line 20: | Line 18: |
| {{{lock-never}}} may lead to errors when multiple users are trying to modify the keyring at the same time. Remove that option in the config files of your gpg-admins if you have multiple admins. * Place the config file into {{{%APPDATA%\gnupg}}} * Import key / Edit Trust as admin. * Deploy the config file to your users. This may be done with a login script containing: {{{ mkdir %APPDATA%\gnupg copy \\networkshare\folder\gpg.conf %APPDATA%\gnupg }}} And done. Your users can now read access the central pubring and all will see the same public keyring. To centralize trust management you may want to set the Ownertrust to Ultimate for the public keys of your gpg-admins. So that a key signed by a gpg-admin is autmatically trustworthy for all other users. |
When adding new keys add the key in your Kleopatra instance, and export again to the central location. After a new Login your users will automatically import this key. |
Central keyfile (gnupg-2.0.x)
In institutions it may be useful to centralize key management so that adminstrators can provide a set of certificates that are available for all users.
To set this up:
- Create a new user group "gpg-admins"
- Create a shared folder (e.g. a network share) that is readable for everyone but writable only for gpg-admins
- Launch Kleopatra and import all the certificates that are intended to be used.
- Mark all keys with ctrl+a and use File->Export Certificates Create a file in your network share folder.
- Create a login script that is executed in the user environment
gpg2 --import //networkshare\pgpkeys.asc
Please not the forward slashes when importing the keys.
When adding new keys add the key in your Kleopatra instance, and export again to the central location. After a new Login your users will automatically import this key.