Central keyring (gnupg-2.0.x)

In institutions it may be useful to centralize key management so that only administrators can edit the public keyring or modify the trustdb.

To set this up:

• Create a new user group "gpg-admins"
• Create a shared folder (e.g. a network share) that is readable for everyone but writable only for gpg-admins
• Create a gpg.conf in that folder file with the following content:

no-default-keyring
primary-keyring \\networkshare\folder\\pubring.gpg
trustdb-name    \\networkshare\folder\trustdb.gpg
keyring         \\networkshare\folder\pubring.gpg
lock-never

Optionally add secret-keyring \\networkshare\folder\secring.gpg

lock-never may lead to errors when multiple users are trying to modify the keyring at the same time. Remove that option in the config files of your gpg-admins if you have multiple admins.

• Place the config file into %APPDATA%\gnupg
• Import key / Edit Trust as admin.

• Deploy the config file to your users. This may be done with a login script containing:

  mkdir %APPDATA%\gnupg
  copy \\networkshare\folder\gpg.conf %APPDATA%\gnupg

And done. Your users can now read access the central pubring and all will see the same public keyring.

To centralize trust management you may want to set the Ownertrust to Ultimate for the public keys of your gpg-admins. So that a key signed by a gpg-admin is autmatically trustworthy for all other users.