Export key to multiple servers
Paul R. Ramer
free10pro at gmail.com
Tue Sep 29 20:19:19 CEST 2009
On Mon, 2009-09-28 at 09:46 -0700, kearney wrote:
> I am trying to export a secret key created on my local box to multiple
> servers. Let's say the key is 12345678.
> The goal is to have 1 script which runs on all the servers to encrypt and
> backup the data to S3. And 1 script to decrypt the data for restores.
> currently i've done
> gpg --output secret --export-secret-keys "Real name"
> gpg --output public --export "Real name"
> secret & public have been scp'd to the servers.
> >From the servers I ran
> gpg --import secret
> gpg --import public
> Now, when I try to encrypt the data
> gpg --recipient 12345678 --encrypt file
> I get
> gpg: 12345678: There is no assurance this key belongs to the named user
> It is NOT certain that the key belongs to the person named in the user
> ID. If you *really* know what you are doing, you may answer the next
> question with yes.
> I don't have a public key so I can't use gpg --sign-key. And if I do create
> a public key; can the same script be used to "decrypt" the files for
> restores across all the servers?
> How can I import the keys on the servers so the servers can encrypt data?
> And data can be decrypted using the key (12345678)?
You don't need a public key to suppress this warning. The reason gpg is
warning about the validity of this key is that when gpg exports keys,
the ownertrust information, which is kept in ~/.gnupg/trustdb.gpg, isn't
exported with the key. When you imported the keys onto your server, gpg
didn't import any ownertrust information.
If you created a signing key (we'll call it AABBCCDD) and signed your
key 12345678 with AABBCCDD, gpg wouldn't trust the signature unless it
trusted the owner of the key (ownertrust). The answer lies in fixing
You need to edit the key with the following commands.
gpg --edit-key 12345678
Gpg will ask how much trust to give. Choose 5, which is ultimate,
because you own the secret key.
More information about the Gnupg-users