Follow

How do you peeps sync your GPG keyrings across machines?

· · Web · 24 · 6 · 3

I don’t sync private keys across machines, but I do have a secript that dumps key ids into a text file and another script that attempts to import key ids (one per line) from a text file. Most of that became a non-issue when I started using keybase though.

@fribbledom I keep my key offline, on a machine without my gpg just import the key, remove the master key from there and all set

as I did it 3 times on my entire life I do not remember the commands to do that, so just have to search any time :/ (probably wrote the process somewhere)

@fribbledom I don't. That just leaves more avenues for compromise.

@billblake2018 @fribbledom

Does that mean if I send you an encrypted email you can only read it on one particular device?

@john @fribbledom Exactly. Which means that any adversary would have a similar problem.

Except, of course, that I can always log into that one device if I'm compelled to read my mail from elsewhere.

@muesli I don't. My secret keys are stored on Yubikeys, so there's no need to sync them

@fribbledom rsync works fine (for the very limited usa I have for gnupg).

@fribbledom

NVIDIA ad whisper voice

regenerate everything

@fribbledom

The proper way to do it:

1. use a master key and put that somewhere safe (ideally offline/airgapped, on a machine that you only use for PGP) and use that to create GnuPG subkeys.

2. Create as many subkeys as necessary, one for each of your devices.

3. Profit

Alternatively:

1. Use a master key and protect it, same as above.

2. Create 2 subkeys, one as backup.

3. Sync the subkey any way you want (IronKey, encrypted USB drive, syncthing, et al)

4. Revoke subkey as needed

@fribbledom Private keys are simple, I have one master which I copy encrypted to all the others. But I think you mean how to keep track of all the public keys you have added in various clients? If you run the same OS on all platforms, perhaps using

@fribbledom USB thumb drive, keep the USB drive afterwards so that I have control over it (It'll likely have traces). Have a long-as-hell password on the export.

@fribbledom Generate on one machine, manually copy to all clients, then not using any key for 2 years, then the key expires. Repeat after 3 years.

@fribbledom I keep my master key offline, and put the rest -- signing, encryption, authentication -- on a pair of yubikeys (one backup, one pocket).

@fribbledom by adding them to my keepass database, and syncing everything but the keepass private key

not that i have ever read encrypted mail on anything but my laptop...

@fribbledom I keep my master subkey offline - it never touches my workstations. And any other "online" subkeys I keep in Bitwarden.

@fribbledom Probably not the answer sought here, but using Keybase (one keypair only).

@fribbledom rsync over ssh works splendid! :) But maybe only for me, because I only modify one set of keyrings at a time and keep track on which machine it currently is.

@fribbledom I keep master key offline in cold storage. Subkeys stored on yubikeys.

@middlepath
what is the use case? you can still decrypt all messages with the subkey even if revoked?
@fribbledom

@perflyst @fribbledom I use them primarily for signing. I haven’t actually tested decrypting with a revoked subkey. Is that true that it still works?!?

@fribbledom Personally I'd just use signify, so I'd just copy my private key on a USB drive, then delete it with rm -P k.sec before plugging it on an untrusted device

@fribbledom Btw, you can use signify with Debian as signify-openbsd(1), so you can also use it on Qubes OS, as well as at least FreeBSD and OpenBSD

@fribbledom I don't use it, but if I did I'd stick it into my Cryptomator container inside my Google drive. Same way I make my Ssh key accessible.

Sign in to participate in the conversation
Mastodon

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!