Endpoint Encryption

 View Only

  • 1.  PGP Command Line 10.2 (UNIX) licensing for multiple users

    Posted Oct 14, 2011 05:39 PM

    PGP only works for the user who licensed it.  I wish this part was documented better for UNIX systems.  It seems to be a common problem.  I am unsure of the correct solution.  I read the docs and related forum posts that say to use a shared directory for all users to use, but is that wise from a security standpoint?  What am I to lose by doing so?  Would it be better to re-license PGP for each user, thereby restricting each user to its own PGP home directory? 

    Here's my scenario.  I have a multi-user UNIX server with many different pgp users on it.

    I installed PGP Command Line 10.2 on Solaris 10 64-bit and ran this license syntax to license it. 

     pgp --license-authorize --license-name root --license-organization XXX --license-number XXX --license-email MYEMAIL
    PGP worked fine for the root user, but not for the other users on the system.  Other users got this error:

    2713:no license has been entered

    So then I searched the forums and found that I should use a shared home directory.  So I re-licensed it, adding this option:

       --home-dir=/opt/pgp

    and I change permissions on /opt/pgp/PGPprefs.xml and /opt/pgp/randseed.rnd to 644 so that all users could read them, like so:

     -rw-r--r--   1 root     root        3196 Oct 14 12:51 PGPprefs.xml
-rw-r--r--   1 root     root         512 Oct 14 16:54 randseed.rnd

     

    I think this will work now, but is this the way it should be done?  Am I somehow at risk by sharing this directory and the keyrings therein?  What is the best way to resolve this, from a "best practices" point of view?  Can each user re-license the software individually, or would that only cause other problems?  Would a security auditor suggest it be done differently?

    What am I missing?

    Thanks in advance,

    -Steve in Phx.



  • 2.  RE: PGP Command Line 10.2 (UNIX) licensing for multiple users

    Posted Oct 16, 2011 11:04 AM

    is your license for one key or unlimited?



  • 3.  RE: PGP Command Line 10.2 (UNIX) licensing for multiple users

    Posted Oct 17, 2011 11:29 AM

    We have a "server" license for unlimited use on this particular hardware, if that makes sense.



  • 4.  RE: PGP Command Line 10.2 (UNIX) licensing for multiple users

    Posted Oct 17, 2011 06:38 PM

    PGP Command Line is licenced for a machine.  However, the license authoriziation information is stored in a preference file (PGPprefs.xml) that has a per-user default location.  So as you've discovered, if you license it as one user, it appears to be unlicenced for any other user.  We have it on our roadmap to address this issue in a future release.

    You could re-license PGP Command Line as each user, but that's a bit of a pain.  As you've discovered, the common solution is to specify a "home directory" for PGP Command Line, and then have each user use the "--home-dir" option, or set the PGP_HOME_DIR environment variable.

    Users can still have their own keyring files (if so desired) by using the "--public-keyring" and "--private-keyring" options.  Simultaneous access to the keyring files should be okay for read operations.  If you have one process updating the keyrings, then another will not be able to.



  • 5.  RE: PGP Command Line 10.2 (UNIX) licensing for multiple users

    Posted Oct 17, 2011 07:07 PM

    Thanks David.  I decided to run the license command for each user on the machine, and set their PGP_HOME_DIR to /home/user/.pgp.  It will be harder to maintain but it appears to be the better option where multiple users are sharing the same system.

    -Steve.