Corporate Administration of OpenPGP Keys

OpenPGP based encryption systems like gpg4o allow users to communicate securely end to end via email. They shall be used wherever privacy is a concern, knowhow should be undisclosed or compliance regulations or corporate government rules have to be followed.

To keep the system secure, the private key(s) nondisclosure to third parties or attackers is vital. In addition, the quality of the passphrase with which those private keys are secured is critical as well. Its common knowledge that highest security levels comply here.

Within companies, especially when two or more employees share private keys for role model purposes certain rules must be followed. There are situations due to company rules or by law where private keys may be used by auditors, directors or law enforcement. In addition: What happens to encrypted data when employees leave the company? These situations (no complete list) may occur:

  • Employee leaves company
  • Employee forgets or looses passphrase or deleted keypair by error
  • Access of third parties due to compliance rules or law enforcement

Whenever companies decide to encrypt sensitive data they should keep in mind that one or more of the scenarios mentioned above may happen. Its good advice to think about preliminary steps before encrypting data to have a solution for those scenarios. We all know that this might not have happened in every company so there should be a way to transform the existing situation in a compliant one.

The attached document leads a way for a lot of possible situations. Your comments, even critical ones are warmly welcome.

Attachment: Dealing with OpenPGP keypairs in companies

Comments

Your Comment

* The marked fields are required.

Comment *

Ich willige ein, dass die oben stehenden Daten zum genannten Zweck verarbeitet werden und habe das Recht, Ihre datenschutzrechtliche Einwilligungserklärung jederzeit zu widerrufen. Durch den Widerruf der Einwilligung wird die Rechtmäßigkeit der aufgrund der Einwilligung bis zum Widerruf erfolgten Verarbeitung nicht berührt. Ich habe dazu die Privacy policy zur Kenntnis genommen.