Forward entire gnupg $HOME
johndoe65534 at mail.com
Thu Sep 5 08:59:16 CEST 2019
On 9/4/2019 10:41 PM, Andre Klärner wrote:
> Hi all,
> is there a way to properly shared the entire keyring and trust settings
> between two machines?
> My use case is the following:
> Mutt, my email client, runs on a containerized mailserver on another machine
> right under my desk.
> My GPG key is stored on a Yubikey attached to my workstation (another
> physical machine compared to the mailserver's host system)
> I usually use my workstation to do everything, but since I can't access my
> mailbox via NFS anymore (different story), I resorted to sshing into my
> email server, and doing all the mailing needs right there, locally.
> My Yubikey also is used as the SSH key for everything, and hence plugged
> into my workstation.
> After following https://wiki.gnupg.org/AgentForwarding and batteling with
> the autostarting gpg-agent (fixed with no-autostart in the remote system's
> gpg.conf), masking all but the dirmngr systemd socket and service units, and
> struggeling with the removal of /run/user/1000/gnupg on logout, I finally
> got it to work. (Nice how the last one doesn't matter, if dirmngr.socket is
> Now I have another problem: my main machine knows all my internet friend's
> keys, my mailserver not. I can of cause gpg --export, scp and gpg --import,
> but that is nothing scalable and needs to be repeated over and over again
> when anything changes.
> Do I expect to much, or is this simply and typically invalid usecase?
> Is there a simpler way to configure a remote GPG just for a session, so
> that it uses another socket to connect to the gpg-agent (I also sign git
> commits, sometimes with etckeeper even on remote machines).
The obvious solution would be to use mutt on your work station! :)
I would also use one signing key per device on which you need to sign
That way if one device is compromised you simply revoke that subkey.
Sorry for not directly answering your question!
More information about the Gnupg-users