Web lists-archives.com

Re: Syncing GnuPG between 2 system




On Fri, Sep 28, 2018 at 11:33:44AM -0400, Jim Popovitch wrote:
> Hello!
> 
> What is the best way to maintain consistency of a user's gnupg
> signing/verifying capabilities between 2 or more desktop systems?
> 

You may find this article helpful:

http://www.connexer.com/articles/openpgp-subkeys

It is a bit dated, but I still follow the procedure every year when I
extend the expiration of my subkeys.

Essentially, what you want is a primary secret key that remains offline
(except for when you need to sign other keys and to extend the
expiration of the primary and/or subkeys, if you choose to give them
expiration dates).  Then, the multiple devices each get a signing subkey
which can be used for signing only.

The only thing not covered in the article is the verifying part, but
that is a simple sync of ~/.gnupg/pubring.gpg.  You can probably do that
via cron or some other file sync approach (maybe that detects when you
connect to your home network or whatever).

If you really only care about signing and verifying then that is pretty
much it.  However, note (as covered in the article) if you want to
decrypt you will need to copy the same encryption subkey to every
device.  This is because while a given primary GPG key can have an
aribtrary number of signing subkeys, it only makes sense to have one
encryption subkey (I am not sure if that is also enforced on the
technical side).

Regards,

-Roberto

-- 
Roberto C. Sánchez