Central keyring (gnupg-2.0.x)

In institutions it may be useful to centralize key management so that only administrators can edit the public keyring.

To set this up:

• Create a new user group "gpg-admins"
• Create a shared folder (e.g. a network share) that is readable for everyone but writable only for gpg-admins
• Create a gpg.conf in that folder file with the following content:

no-default-keyring
primary-keyring \\networkshare\folder\\pubring.gpg
keyring         \\networkshare\folder\pubring.gpg
lock-never

Optionally add secret-keyring \\networkshare\folder\secring.gpg

lock-never may lead to errors when multiple users are trying to modify the keyring at the same time. Remove that option in the config files of your gpg-admins if you have multiple admins.

• Place the config file into %APPDATA%\gnupg
• Import key / Edit Trust as admin.

• Deploy the config file to your users. This may be done with a login script containing:

  mkdir %APPDATA%\gnupg
  copy \\networkshare\folder\gpg.conf %APPDATA%\gnupg

And done. Your users can now read access the central pubring and all will see the same public keyring.