Everyone at First Look Media, including all of the reporters at The Intercept, uses PGP encrypted email. Yes, you heard that correctly. From the beginning of this company we decided that everyone should use this notoriously hard-to-use encrypted email standard. But I think we’ve done a pretty good job at making it much simpler to use thanks to GPG Sync, an open source tool that we developed in order to offload the most complex part of encrypted email — key management — away from the users and onto our organization’s tech staff.
GPG Sync is designed to make it so everyone within your organization always has the correct public keys for everyone else in your organization without having to even think about it.
It works like this:
- The tech staff at your organization generates a PGP key called an “authority key” (we recommend they store it on a YubiKey). Then they create a list of all of the PGP fingerprints that all members of the organization should keep updated, called a “keylist.” They digitally sign the keylist with the authority key, and then upload both the keylist and the signature to a website so that it’s accessible from a public URL.
- All members of the organization install GPG Sync and subscribe to the keylist (you can subscribe to as many keylists as you’d like, if you want to stay up-to-date on all of the public keys of multiple organizations).
- When someone joins your organization, the tech staff helps them generate a PGP key, adds their fingerprint to the keylist, re-signs it with the authority key, and uploads it to the same URL. If a user migrates to a new key, the tech staff adds their new fingerprint to the keylist (and leaves their old fingerprint on the list as well so that all other members can tell that their old keys were revoked).
Now, each member of your organization doesn’t have to go track down everyone else’s public keys and make sure that they’re authentic. You don’t need to hold regular key signing parties (though I do recommend that the tech staff uses the authority key to sign each as they add it to the keylist in order to build an internal web of trust). The users don’t actually have to do anything — they just write encrypted emails to their colleagues, and it just works.
In short, GPG Sync allows everyone in an organization to use PGP without having to understand how to securely obtain and verify other people’s public keys, and it scales linearly instead of exponentially like it would if everyone had to compare fingerprints with everyone else.
Right now, the FLM keylist has over 200 fingerprints on it, and this list changes on a weekly basis as we hire new people and as people rotate their keys. This way, I can write an encrypted email to a new employee that I haven’t met in person yet, or to an old employee who has changed PGP keys since the last time we worked on a project together, without having to worry about encrypting my message to the wrong key.
If you’d like to deploy GPG Sync at your organization, start by checking out the wiki. And please let me know, I’m curious what other organizations are using it, and I might want to subscribe to your keylist.