Central keyring (gnupg-2.0.x)
In institutions it may be useful to centralize key management so that only administrators can edit the public keyring.
To set this up:
- Create a new user group "gpg-admins"
- Create a shared folder (e.g. a network share) that is readable for everyone but writable only for gpg-admins
- Create a gpg.conf in that folder file with the following content:
no-default-keyring primary-keyring \\networkshare\folder\\pubring.gpg keyring \\networkshare\folder\pubring.gpg lock-never
Optionally add secret-keyring \\networkshare\folder\secring.gpg
lock-never may lead to errors when multiple users are trying to modify the keyring at the same time. Remove that option in the config files of your gpg-admins if you have multiple admins.
- Place the config file into %APPDATA%\gnupg
- Import key / Edit Trust as admin.
- Deploy the config file to your users. This may be done with a login script containing:
mkdir %APPDATA%\gnupg copy \\networkshare\folder\gpg.conf %APPDATA%\gnupg
And done. Your users can now read access the central pubring and all will see the same public keyring.