OpenVPN Support Forum

I administer a network for a small company. Currently, every user has an OpenVPN key. I'm rebuilding a firewall and it sort of struck me that having many keys could lead to a nefarious user stealing another's keys and then when the nefarious person leaves the company, they have a way to get in. So, instead of having this as a possible problem, why not just use 1 key for everyone. Then when there's a turnover, revoke the key and distribute a new key.

Granted, this could be done with many keys and doesn't take a long time.

I work for a company that make security software and our chief scientist (who could talk your head off on security) doesn't see a problem with a single key approach. A developer thinks that it's easier to track down who's hogging bandwidth with many keys.

Any thoughts on such a scheme?

Thanks,
Dave

I'd always go for many keys:
* You can always revoke a key when it's compromised
* keys should have a password associated with them
* If your users give away their private key to co-workers the key should be revoked anyways
* re-distributing a new key to all users can quickly become a hassle.
* as your techie pointed out, with many keys it is much easier to track who is doing what

but with a single key + username/password authentication (which is a hassle for your users) you could achieve most of the above as well. Still, I'd always go for multiple keys.