How do you peeps sync your GPG keyrings across machines?

· · Web · 24 · 6 · 3

I don’t sync private keys across machines, but I do have a secript that dumps key ids into a text file and another script that attempts to import key ids (one per line) from a text file. Most of that became a non-issue when I started using keybase though.

@fribbledom I keep my key offline, on a machine without my gpg just import the key, remove the master key from there and all set

as I did it 3 times on my entire life I do not remember the commands to do that, so just have to search any time :/ (probably wrote the process somewhere)

@fribbledom I don't. That just leaves more avenues for compromise.

@billblake2018 @fribbledom

Does that mean if I send you an encrypted email you can only read it on one particular device?

@john @fribbledom Exactly. Which means that any adversary would have a similar problem.

Except, of course, that I can always log into that one device if I'm compelled to read my mail from elsewhere.

@muesli I don't. My secret keys are stored on Yubikeys, so there's no need to sync them

@fribbledom rsync works fine (for the very limited usa I have for gnupg).


NVIDIA ad whisper voice

regenerate everything


The proper way to do it:

1. use a master key and put that somewhere safe (ideally offline/airgapped, on a machine that you only use for PGP) and use that to create GnuPG subkeys.

2. Create as many subkeys as necessary, one for each of your devices.

3. Profit


1. Use a master key and protect it, same as above.

2. Create 2 subkeys, one as backup.

3. Sync the subkey any way you want (IronKey, encrypted USB drive, syncthing, et al)

4. Revoke subkey as needed

@fribbledom Private keys are simple, I have one master which I copy encrypted to all the others. But I think you mean how to keep track of all the public keys you have added in various clients? If you run the same OS on all platforms, perhaps using

@fribbledom USB thumb drive, keep the USB drive afterwards so that I have control over it (It'll likely have traces). Have a long-as-hell password on the export.

@fribbledom Generate on one machine, manually copy to all clients, then not using any key for 2 years, then the key expires. Repeat after 3 years.

@fribbledom I keep my master key offline, and put the rest -- signing, encryption, authentication -- on a pair of yubikeys (one backup, one pocket).

@fribbledom by adding them to my keepass database, and syncing everything but the keepass private key

not that i have ever read encrypted mail on anything but my laptop...

@fribbledom I keep my master subkey offline - it never touches my workstations. And any other "online" subkeys I keep in Bitwarden.

@fribbledom Probably not the answer sought here, but using Keybase (one keypair only).

@fribbledom rsync over ssh works splendid! :) But maybe only for me, because I only modify one set of keyrings at a time and keep track on which machine it currently is.

@fribbledom I keep master key offline in cold storage. Subkeys stored on yubikeys.

what is the use case? you can still decrypt all messages with the subkey even if revoked?

@perflyst @fribbledom I use them primarily for signing. I haven’t actually tested decrypting with a revoked subkey. Is that true that it still works?!?

@fribbledom Personally I'd just use signify, so I'd just copy my private key on a USB drive, then delete it with rm -P k.sec before plugging it on an untrusted device

@fribbledom Btw, you can use signify with Debian as signify-openbsd(1), so you can also use it on Qubes OS, as well as at least FreeBSD and OpenBSD

@fribbledom I don't use it, but if I did I'd stick it into my Cryptomator container inside my Google drive. Same way I make my Ssh key accessible.

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!