Sharing PGP keys

Strictly speaking, you don't. A single PGP key goes to a single address/identity.

In practice, you will need some form of re-encrypt process.

A mailing list daemon could monitor the incoming mailbox for "[email protected]" and it has access to the private key for that address, as well as access to a keyring of public keys for the members of the list.

When a pgp encrypted email comes in, the daemon would decrypt the message, then re-encrypt it to each public key in it's keyring, and dispatch copies of the message to each member of the list.

This also has the advantage of disconnecting list membership from the public facing, single PGP key.

For example: If people are added to, or leave the team who should have access, just remove or add their public keys to/from the daemon's keyring. One member's key gets compromised somehow, just replace that one. You have to change the public facing key, just change that, and all members keep their own.

Any sort of literally "shared" solution has problems if one or more of the above examples come up.

Someone in the security team will still have to be responsible for the DevOps maintenance of this email daemon, of course.