How do you peeps sync your GPG keyrings across machines?
@fribbledom I keep my key offline, on a machine without my gpg just import the key, remove the master key from there and all set
as I did it 3 times on my entire life I do not remember the commands to do that, so just have to search any time :/ (probably wrote the process somewhere)
The proper way to do it:
1. use a master key and put that somewhere safe (ideally offline/airgapped, on a machine that you only use for PGP) and use that to create GnuPG subkeys.
2. Create as many subkeys as necessary, one for each of your devices.
1. Use a master key and protect it, same as above.
2. Create 2 subkeys, one as backup.
3. Sync the subkey any way you want (IronKey, encrypted USB drive, syncthing, et al)
4. Revoke subkey as needed
@fribbledom USB thumb drive, keep the USB drive afterwards so that I have control over it (It'll likely have traces). Have a long-as-hell password on the export.
@fribbledom Generate on one machine, manually copy to all clients, then not using any key for 2 years, then the key expires. Repeat after 3 years.
@fribbledom I keep my master key offline, and put the rest -- signing, encryption, authentication -- on a pair of yubikeys (one backup, one pocket).
Zooniverse just announced a cool project:
@fribbledom I keep my master subkey offline - it never touches my workstations. And any other "online" subkeys I keep in Bitwarden.
@fribbledom rsync over ssh works splendid! :) But maybe only for me, because I only modify one set of keyrings at a time and keep track on which machine it currently is.
@fribbledom Personally I'd just use signify, so I'd just copy my private key on a USB drive, then delete it with rm -P k.sec before plugging it on an untrusted device
@fribbledom Btw, you can use signify with Debian as signify-openbsd(1), so you can also use it on Qubes OS, as well as at least FreeBSD and OpenBSD
@fribbledom I don't use it, but if I did I'd stick it into my Cryptomator container inside my Google drive. Same way I make my Ssh key accessible.
Server run by the main developers of the project It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!