Revision 1 as of 2016-06-17 09:48:14
Notes about a centralized pubring setup.
Remove trustdb from config this will break when generating keys.
|Deletions are marked like this.||Additions are marked like this.|
|Line 2:||Line 2:|
|In institutions it may be useful to centralize key management so that only administrators can edit the public keyring or modify the trustdb.||In institutions it may be useful to centralize key management so that only administrators can edit the public keyring.|
|Line 13:||Line 13:|
|Line 32:||Line 31:|
To centralize trust management you may want to set the Ownertrust to Ultimate for the public keys of your gpg-admins. So that a key signed by a gpg-admin is autmatically trustworthy for all other users.
Central keyring (gnupg-2.0.x)
In institutions it may be useful to centralize key management so that only administrators can edit the public keyring.
To set this up:
- Create a new user group "gpg-admins"
- Create a shared folder (e.g. a network share) that is readable for everyone but writable only for gpg-admins
- Create a gpg.conf in that folder file with the following content:
no-default-keyring primary-keyring \\networkshare\folder\\pubring.gpg keyring \\networkshare\folder\pubring.gpg lock-never
Optionally add secret-keyring \\networkshare\folder\secring.gpg
lock-never may lead to errors when multiple users are trying to modify the keyring at the same time. Remove that option in the config files of your gpg-admins if you have multiple admins.
- Place the config file into %APPDATA%\gnupg
- Import key / Edit Trust as admin.
- Deploy the config file to your users. This may be done with a login script containing:
mkdir %APPDATA%\gnupg copy \\networkshare\folder\gpg.conf %APPDATA%\gnupg
And done. Your users can now read access the central pubring and all will see the same public keyring.