eGPG setup and configuration
1) Define your windows groups and user memberships.
2) Install the Widows package ofGnuPG on the hosting server or computer. You can either run the GnuPG executable locally or remotely, if you choose a remote installation you will need to create a Windows share to the directory in which the executable resides. This would also be a good place for the configuration files to reside as well. I would suggest a hidden share with security permissions set to only allow the encrypting group(s) access.
3) Create another share, hidden for the security conscious, where the GnuPG key-ring will reside. This does not necessarily need to reside on the same server as the executable. You may also set the security permissions to only allow the encrypting group(s) access.
4) You are now ready to import\create your keys. If you choose to admin the keys via command line, remember to use the '--homedir=path_to_you_key-ring" switch so the keys are placed on the server and not the local machine, otherwise on the server where the keys will be located run the GUI of choice. Remember if you are using Windows groups, you will need to put a group unique phrase in the name of the keys. For example, a key name could be "MyCompany dbgroup1", “dbgroup1” being the unique phrase.
5) Unzip the eGPG zip file and run the setup program and answer all the installer questions. If you have a centralized configuration, uncheck the “install configuration file locally” and specify the location on the config files in the “path to eGPG configuration files” line. If you haven’t setup centralized configuration files, this would be a good time to install the config files locally and copy them to a global configuration on a Windows share after they are edited. To edit the configuration files make sure the configuration files are located in the path you choose during the installation and once eGPG loads press "Ctrl+Alt+Shift+A".
If this is a first time setup you will need to supply a password, by default the password is “password”. For now ignore the “Edit key groups” button and fill out the form for your specific setup, remembering to change the password!!
** “User domain groups” allows you to filter keys based on Windows domain groups.
** “Use Admin group” allows password-less access to this admin form if the user is a member of the specified “Domain” and “Admin Group”
Click submit to change the configuration. If you activated the “User domain groups” press "Ctrl+Alt+Shift+A" once admin form is up click the “Edit key groups” button and continue to step 5a.
5a) For Windows group integration click on the "Edit Key Groups" button and fill out the form as follows: state the group then "|"(pipe) and then the identifying phrase in the key name. For example, "database|dbgroup1" translates as the windows group "database" will get any key containing "dbgroup1" in the name, you may also use the key’s UID. Remember to add the administration group so to allow access to all keys, i.e. "domain admins|*".
6) Now that the configuration files are customized, you can copy them to a central area for global config and then edit your settings and change the “path to eGPG configuration files” line to their location, absolute pathing is accepted. You can now go to each workstation and run the eGPG setup program specifying the location of the global config files or recreate them on each machine.
There are several other components I am working on adding like full key importation and signing. The administrator import is working "CTRL+I" if the user is a member "Admin Group", however you will need to edit the key after the import to set the trusts.
If you have any questions or suggestions email me. Click here.