GPG Sync: Internal GPG keys syncing tool for orgs

First Look Code has released GPG Sync, an open source tool for keeping a list of GPG keys used by members of an organization always updated, and always available to all of them.

GPG (GNU Privacy Guard, or GnuPG) is encryption software that encrypts messages using asymmetric keypairs. Senders send encrypted messages signed with their private key, and recipients decrypt them with the sender’s public key.

“If you’re part of an organization that uses GPG internally you might notice that it doesn’t scale well. New people join and create new keys and existing people revoke their old keys and transition to new ones. It quickly becomes unwieldy to ensure that everyone has a copy of everyone else’s current key, and that old revoked keys get refreshed to prevent users from accidentally using them,” the group, which is the open source software development arm of First Look Media (the publishers of The Intercept), explained the impetus behind the creation of GPG Sync.

The tool is available for OS X and Linux, and Micah Lee – a reporter and technologist for The Intercept, as well as a security engineer and open source developer – says that a Windows version is in the works.

The list will all the public GPG keys used by the organization’s members is kept updated by a trusted person within the organization, is signed with an “authority key” (created by this trusted person), and uploaded to a website so that it’s accessible from a public URL.

Members of the organization that have GPG Sync installed on their computers and have it configured with the authority key’s fingerprint and the URL of the list can automatically fetch the URL and the list is refreshed on their endpoints.

More information about how the software works is provided in the project’s Wiki.