OpenPGP based encryption systems like gpg4o allow users to communicate securely end to end via email. They shall be used wherever privacy is a concern, knowhow should be undisclosed or compliance regulations or corporate government rules have to be followed.
To keep the system secure, the private key(s) nondisclosure to third parties or attackers is vital. In addition, the quality of the passphrase with which those private keys are secured is critical as well. Its common knowledge that highest security levels comply here.
Within companies, especially when two or more employees share private keys for role model purposes certain rules must be followed. There are situations due to company rules or by law where private keys may be used by auditors, directors or law enforcement. In addition: What happens to encrypted data when employees leave the company? These situations (no complete list) may occur:
- Employee leaves company
- Employee forgets or looses passphrase or deleted keypair by error
- Access of third parties due to compliance rules or law enforcement
Whenever companies decide to encrypt sensitive data they should keep in mind that one or more of the scenarios mentioned above may happen. Its good advice to think about preliminary steps before encrypting data to have a solution for those scenarios. We all know that this might not have happened in every company so there should be a way to transform the existing situation in a compliant one.
The attached document leads a way for a lot of possible situations. Your comments, even critical ones are warmly welcome.
Attachment: Dealing with OpenPGP keypairs in companies