Month: September 2015

Using GnuPG/PGP on multiple devices

yeupouLeave a comment

I started using GnuPG in 2002. I dont usually do stuff that requires heavy privacy so I dont care much for it. From time to time, I just encrypt some useless crap so if anyday I had serious stuff to encrypt it would not look obviously suspicious.

Things is most of the people I communicate with are not using GnuPG and are probably not about to.

There is also an obvious issue with GnuPG is how to share key among computers/clients. How to decrypt messages with your phone or webmail? Copy the private key everywhere? It might just be worse than having no security at all.

I dont use GnuPG much, especially since I created my key in 2002 and don’t even know how secure this key is still now. I need it nonetheless to sign stuff like packages. Confronted to the problem of having to copy the key by hand on one more laptop,  I considered dropping my current set  and, inspired by this example of  primary key/subkeys model and debian’s one, to have a primary key secure somewhere and give a short-lived subkey per device.

But, it fixes not much of GnuPG problems, and implies lot of annoying not automated work, not satisfying. And anyway, if en/decrypt can only work for one subkey. So one subkey per device is not really working.

To make the process less painy, on a box being made from time to time available over network, I did as follow:

I created a primary key running gpg --expert --gen-key (cannot sign, cannot encrypt) with 4y expiry. (more entropy with rngd -r /dev/urandom).

I added with adduid and trust save the relevant additional addresses running gpg --expert --edit-key myemail

I created a sign and a encrypt subkey with no expiry (considering that they ll be revoked on the fly from the primary whenever it make sense).

I made up gpg-grabsub.sh that prompt for the hostname of the box hosting the keyring, will import the ring and remove the primary key from it, leaving just the necessary keys to sign and encrypt.

This script could probably be used in a chain (box secured from the net -> script run on gate server -> script run on a end client). It requires further testing.