PGP Command Line needs to be re-authorized for each user account which each have individual keyrings

book

Article ID: 153200

calendar_today

Updated On:

Products

PGP Command Line

Issue/Introduction

PGP Command Line stores the licensing information in the current user's home directory in a file called PGPprefs.xml. This file cannot be moved to another directory or shared with other users.

In addition, each user will have an individual keyring. This means that keys cannot easily be shared between users.

If you have a multi-user environment then you can do one of the following:

  1. Authorize PGP Command Line for each user.
  2. Define a global environment variable.
  3. Use a dedicated service account.
     

Environment

Symantec PGP Command Line on Windows and Linux

Resolution

Please adopt one of the following strategies to use PGP Command Line in a multi-user environment. 

License PGP Command Line for each user

Licensing PGP Command Line for each user that needs to use it involves each user issuing just one command. For example:
pgp --license-authorize --license-number "AB0CD-EFGHJ-1K2LM-N3PQR-STVW4-XYZ"

However, more importantly, each user will have their own keyring.

This may be precisely what you require. If some keys need to be shared then keys can be imported into the keyrings of individual users as and when required. 

Define a global environment variable

The PGP_HOME_DIR variable lets users share a common home directory for PGP Command LIne. This means that the product only needs to be licensed once and users will share a single keyring. 

After the PGP_HOME_DIR variable is defined you must license PGP Command Line in order to create a new PGPprefs.xml file in the shared directory. After this, all users on the system will be able to run PGP commands without needing to license the software. This location will also be used for keyrings and key operations.

To define PGP_HOME_DIR on a Windows system

  1. Right click on My Computer.
  2. Click Properties.
  3. Click the Advanced tab.
  4. Click the Environmental Variables button.
  5. Under the System Variables window, click the New button.
  6. In the Variable Name field type PGP_HOME_DIR.
  7. In the Variable Value field enter the directory that will be used to store the PGPprefs.xml file. Note that a trailing slash is required. For example, C:\PGP\
  8. Press OK twice.
  9. The next time you open a command prompt this system variable will be set.  Type set to verify that this variable is correctly set.
  10. Relicense PGP Command Line and verify that PGPprefs.xml is created in the PGP_HOME_DIR folder.

 

To define PGP_HOME_DIR on a Red Hat Linux system

  1. As the root user, create a shared PGP directory. For example, create /home/pgp:
    mkdir /home/pgp
  2. Create a group. For example, create a group named pgp:
    groupadd pgp
  3. Add a user to the group. For example, to add the user named user1 to the pgp group:
    usermod -a -G pgp user1
  4. Give the new group ownership of the shared PGP directory. For example, to give the pgp group ownership of the /home/pgp directory:
    chown :pgp /home/pgp
  5. Create a script in the /etc/profile.d directory containing the environment variable name PGP_HOME_DIR and its value. Also append the /opt/pgp/bin directory to the search path. This will set these environment variables for all users of the system. For example, to set PGP_HOME_DIR to /home/pgp/ and update the search path, create /etc/profile.d/pgphome.sh containing this:
    # Set global home directory for PGP Command Line
    PGP_HOME_DIR=/home/pgp
    # Add PGP Command Line to the path
    PATH=$PATH:/opt/pgp/bin
  6. Log in as any user and enter this to confirm the environment variables have been set:
    echo $PGP_HOME_DIR; echo $PATH
  7. Each user will need to license PGP Command Line and a $HOME/.pgp/PGPprefs.xml file will be created for each user.
  8. Users can create and use shared keys by specifying the --home-dir parameter. For example, to create a shared key for the user [email protected]:
    pgp --gen-key "Bob <[email protected]>" --key-type rsa --encryption-bits 2048 --passphrase mypassword --home-dir $PGP_HOME_DIR
  9. The first time a shared keyring is created, it will be owned by the user that created it. To allow all users belonging to a group to access it, set ownership. For example, to allow the pgp group access to the shared keyring:
    chown :pgp $PGP_HOME_DIR/*

 

Use a dedicated service account

On a Red Hat Linux system, you can use the sudo command to run PGP Command Line as a service account. This avoids needing to create a PGP_HOME_DIR and complies with security best practice. All PGP Command Line commands will be executed as the service account:

  1. Install PGP Command Line as the root user. Do not license it.
  2. Create a service account. For example, to add a service account user named pgpsvc (which also creates a group named pgpsvc):
    useradd pgpsvc
  3. Add an existing user account to the service account group. For example, to add user1 to the pgpsvc group:
    usermod -a -G pgpsvc user1
  4. Set a password for the service account. For example, to set the password for the pgpsvc service account:
    passwd pgpsvc
  5. Create a sudoers file for PGP Command Line in order to allow members of the service account group to execute commands as the service account user without a password. For example, if the service group is pgpsvc and the service user is also pgpsvc:
    echo "%pgpsvc ALL=(pgpsvc) NOPASSWD: ALL" > /etc/sudoers.d/pgp
  6. Note that if you wish to change the sudoers file in future you should always use the visudo editor because it will check the contents of the file for syntax errors:
    visudo -f /etc/sudoers.d/pgp
  7. Login as the service account user and edit the $HOME/.bashrc file to add PGP Command Line to the search path. For example:
    echo "# Add PGP Command Line to the path" >> $HOME/.bashrc
    echo "PATH=\$PATH:/opt/pgp/bin" >> $HOME/.bashrc
  8. Optionally, give all members of the service account group permissions on the service account's home directory. For example:
    chmod g+rwx $HOME
  9. Logout as the service account user.
  10. Login as the service account user and license PGP Command Line. For example:
    pgp --license-authorize --license-number AB0CD-EFGHJ-1K2LM-N3PQR-STVW4-XYZ
  11. Logout as the service account user.
  12. Optionally, login as root and delete the password of the service account to prevent the account logging in interactively (root can always set a password again in future). For example, to delete the password of the pgpsvc service account:
    passwd -d pgpsvc
  13. Login as a user who has been added to the service account group and use PGP Command Line using the sudo command. For example, for user1 to use PGP Command Line as the pgpsvc service account:
    sudo -iu pgpsvc pgp --version --verbose |grep Home
     Home Directory: /home/pgpsvc/.pgp/
  14. Note that by default the service account user will not have access to other users' home directories. Therefore carry out file operations in a directory with appropriate permissions. For example, if you gave the service account group permissions over the service account's home directory, that directory would be suitable.

To allow another existing user to execute PGP Command Line commands as the service account:

  1. Login as root and add the existing user account to the service account group. For example, to add user2 to the pgpsvc group:
    usermod -a -G pgpsvc user2
  2. Login as the existing user account and execute commands using the sudo command. For example, login as user2 and list keys on the PGP keyring:
    sudo -iu pgpsvc pgp --list-keys