PGP Command Line stores the licensing information in the current user's home directory in a file called PGPprefs.xml. This file cannot be moved to another directory or shared with other users.
In addition, each user will have an individual keyring. This means that keys cannot easily be shared between users.
If you have a multi-user environment then you can do one of the following:
Authorize PGP Command Line for each user.
Define a global environment variable.
Use a dedicated service account.
Symantec PGP Command Line on Windows and Linux
Please adopt one of the following strategies to use PGP Command Line in a multi-user environment.
License PGP Command Line for each user
Licensing PGP Command Line for each user that needs to use it involves each user issuing just one command. For example: pgp --license-authorize --license-number "AB0CD-EFGHJ-1K2LM-N3PQR-STVW4-XYZ"
However, more importantly, each user will have their own keyring.
This may be precisely what you require. If some keys need to be shared then keys can be imported into the keyrings of individual users as and when required.
Define a global environment variable
The PGP_HOME_DIR variable lets users share a common home directory for PGP Command LIne. This means that the product only needs to be licensed once and users will share a single keyring.
After the PGP_HOME_DIR variable is defined you must license PGP Command Line in order to create a new PGPprefs.xml file in the shared directory. After this, all users on the system will be able to run PGP commands without needing to license the software. This location will also be used for keyrings and key operations.
To define PGP_HOME_DIR on a Windows system
Right click on My Computer.
Click the Advanced tab.
Click the Environmental Variables button.
Under the System Variables window, click the New button.
In the Variable Name field type PGP_HOME_DIR.
In the Variable Value field enter the directory that will be used to store the PGPprefs.xml file. Note that a trailing slash is required. For example, C:\PGP\
Press OK twice.
The next time you open a command prompt this system variable will be set. Type set to verify that this variable is correctly set.
Relicense PGP Command Line and verify that PGPprefs.xml is created in the PGP_HOME_DIR folder.
To define PGP_HOME_DIR on a Red Hat Linux system
As the root user, create a shared PGP directory. For example, create
Create a group. For example, create a group named
Add a user to the group. For example, to add the user named user1 to the pgp group:
usermod -a -G pgp user1
Give the new group ownership of the shared PGP directory. For example, to give the
pgp group ownership of the
chown :pgp /home/pgp
Create a script in the
/etc/profile.d directory containing the environment variable name
PGP_HOME_DIR and its value. Also append the
/opt/pgp/bin directory to the search path. This will set these environment variables for all users of the system. For example, to set
/home/pgp/ and update the search path, create
/etc/profile.d/pgphome.sh containing this:
# Set global home directory for PGP Command Line PGP_HOME_DIR=/home/pgp
# Add PGP Command Line to the path PATH=$PATH:/opt/pgp/bin
Log in as any user and enter this to confirm the environment variables have been set:
echo $PGP_HOME_DIR; echo $PATH
Each user will need to license PGP Command Line and a $HOME/.pgp/PGPprefs.xml file will be created for each user.
Users can create and use shared keys by specifying the --home-dir parameter. For example, to create a shared key for the user firstname.lastname@example.org: pgp --gen-key "Bob <email@example.com>" --key-type rsa --encryption-bits 2048 --passphrase mypassword --home-dir $PGP_HOME_DIR
The first time a shared keyring is created, it will be owned by the user that created it. To allow all users belonging to a group to access it, set ownership. For example, to allow the pgp group access to the shared keyring: chown :pgp $PGP_HOME_DIR/*
Use a dedicated service account
On a Red Hat Linux system, you can use the sudo command to run PGP Command Line as a service account. This avoids needing to create a PGP_HOME_DIR and complies with security best practice. All PGP Command Line commands will be executed as the service account:
Install PGP Command Line as the root user. Do not license it.
Create a service account. For example, to add a service account user named pgpsvc (which also creates a group named pgpsvc): useradd pgpsvc
Add an existing user account to the service account group. For example, to add user1 to the pgpsvc group: usermod -a -G pgpsvc user1
Set a password for the service account. For example, to set the password for the pgpsvc service account: passwd pgpsvc
Create a sudoers file for PGP Command Line in order to allow members of the service account group to execute commands as the service account user without a password. For example, if the service group is pgpsvc and the service user is also pgpsvc: echo "%pgpsvc ALL=(pgpsvc) NOPASSWD: ALL" > /etc/sudoers.d/pgp
Note that if you wish to change the sudoers file in future you should always use the visudo editor because it will check the contents of the file for syntax errors: visudo -f /etc/sudoers.d/pgp
Login as the service account user and edit the $HOME/.bashrc file to add PGP Command Line to the search path. For example: echo "# Add PGP Command Line to the path" >> $HOME/.bashrc echo "PATH=\$PATH:/opt/pgp/bin" >> $HOME/.bashrc
Optionally, give all members of the service account group permissions on the service account's home directory. For example: chmod g+rwx $HOME
Logout as the service account user.
Login as the service account user and license PGP Command Line. For example: pgp --license-authorize --license-number AB0CD-EFGHJ-1K2LM-N3PQR-STVW4-XYZ
Logout as the service account user.
Optionally, login as root and delete the password of the service account to prevent the account logging in interactively (root can always set a password again in future). For example, to delete the password of the pgpsvc service account: passwd -d pgpsvc
Login as a user who has been added to the service account group and use PGP Command Line using the sudo command. For example, for user1 to use PGP Command Line as the pgpsvc service account: sudo -iu pgpsvc pgp --version --verbose |grep Home Home Directory: /home/pgpsvc/.pgp/
Note that by default the service account user will not have access to other users' home directories. Therefore carry out file operations in a directory with appropriate permissions. For example, if you gave the service account group permissions over the service account's home directory, that directory would be suitable.
To allow another existing user to execute PGP Command Line commands as the service account:
Login as root and add the existing user account to the service account group. For example, to add user2 to the pgpsvc group: usermod -a -G pgpsvc user2
Login as the existing user account and execute commands using the sudo command. For example, login as user2 and list keys on the PGP keyring: sudo -iu pgpsvc pgp --list-keys
Imported Document ID: TECH148942
Subscribing will provide email updates when this Article is updated. Login is required.