Diff for "Gpg4win/SetupHints"

Differences between revisions 2 and 3

Central keyfile (gnupg-2.0.x)

In institutions it may be useful to centralize key management so that adminstrators can provide a set of certificates that are available for all users.

To set this up:

Create a new user group "gpg-admins"
Create a shared folder (e.g. a network share) that is readable for everyone but writable only for gpg-admins
Launch Kleopatra and import all the certificates that are intended to be used.
Mark all keys with ctrl+a and use File->Export Certificates Create a file in your network share folder.

Create a login script that is executed in the user environment

   gpg2 --import //networkshare\pgpkeys.asc

Please not the forward slashes when importing the keys.

When adding new keys add the key in your Kleopatra instance, and export again to the central location. After a new Login your users will automatically import this key.

-  ⇤ ← Revision 2 as of 2016-07-11 12:07:19 → 
  Size: 1198
  Editor: AndreHeinecke
  Comment: Remove trustdb from config this will break when generating keys.
+   ← Revision 3 as of 2016-07-11 12:28:40 → ⇥
  Size: 906
  Editor: AndreHeinecke
  Comment: Old solution was too fragile with access denied errors, better to leave the keyrings to the users and just import.
-Deletions are marked like this.
+Additions are marked like this.
 Line 1:
-== Central keyring (gnupg-2.0.x) ==
In institutions it may be useful to centralize key management so that only administrators can edit the public keyring.
+== Central keyfile (gnupg-2.0.x) ==
In institutions it may be useful to centralize key management so that adminstrators can provide a set of certificates that are available for all users.
 Line 8:
-* Create a gpg.conf in that folder file with the following content:
+* Launch Kleopatra and import all the certificates that are intended to be used.
* Mark all keys with ctrl+a and use File->Export Certificates Create a file in your network share folder.
-Line 10:
+Line 11:
+* Create a login script that is executed in the user environment
-Line 11:
+Line 13:
-no-default-keyring
primary-keyring \\networkshare\folder\\pubring.gpg
keyring         \\networkshare\folder\pubring.gpg
lock-never
+   gpg2 --import //networkshare\pgpkeys.asc
-Line 17:
+Line 16:
-Optionally add {{{secret-keyring  \\networkshare\folder\secring.gpg}}}
+Please not the forward slashes when importing the keys.
-Line 19:
+Line 18:
-{{{lock-never}}} may lead to errors when multiple users are trying to modify the keyring at the same time. Remove that option in the config files of your gpg-admins if you have multiple admins.

* Place the config file into  {{{%APPDATA%\gnupg}}}
* Import key / Edit Trust as admin.

* Deploy the config file to your users. This may be done with a login script containing:
{{{
  mkdir %APPDATA%\gnupg
  copy \\networkshare\folder\gpg.conf %APPDATA%\gnupg
}}}

And done. Your users can now read access the central pubring and all will see the same public keyring.
+When adding new keys add the key in your Kleopatra instance, and export again to the central location. After a new Login your users will automatically import this key.