Forward entire gnupg $HOME

Andre Klärner kandre at
Thu Sep 5 14:36:58 CEST 2019

Hi all,

On Thu 05.09.2019 09:16:54, Erich Eckner via Gnupg-users wrote:
> On Thu, 5 Sep 2019, john doe wrote:
> > On 9/4/2019 10:41 PM, Andre Klärner wrote:
> >> Hi all,
> >>
> >> is there a way to properly shared the entire keyring and trust settings
> >> between two machines?
> [ snip ]
> > The obvious solution would be to use mutt on your work station! :)
> > I would also use one signing key per device on which you need to sign
> > commits/tags/...
> > That way if one device is compromised you simply revoke that subkey.
> While this would work for signing, it will not work for decryption.

It also would contradict my security model: there are exactly three copies
of my private key: one in my Yubikey 5 NFC, one in my Yubikey 5 nano, one
in my OpenPGP smartcard. There are no other keys at all.

And unless I actively use one of them, they are all offline and not usable.
The Yubikeys even go a step further: even plugged in and with my PIN used
once they are not usable, unless someone is physically present to confirm
the operation by touching them.

Especially the last part is the main reason I was drawn to Yubikeys: our
company uses SSH extensively, and due to Audit restrictions
SSHAgentForwarding must be enabled so that the audit box can log all SSH
plaintext traffic. But once I am logged on to one of our servers I have
root access as many of our colleagues - so a knowledgable person easily can
reuse my agent for anything else. With a physical confirmation required
this is no longer a problem.

So I hope you now know how my requirements came to be, and that simply
using multiple subkeys doesn't scale. The only thing saving my is proper
and secure forwarding.

Thanks and best regards,

Andre Klärner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list