Handling an identity over multiple devices

Andrew Gallagher andrewg at andrewg.com
Fri Feb 19 11:00:16 CET 2021 

Hi, Luke.

My personal experience is that a hardware device such as an OpenPGP card 
or Yubikey is the easiest way to share the same private key across 
multiple devices (assuming you have physical access, see below). You 
designate one machine your master, where you store your original key 
material on disk as normal (this would typically be your "most secure" 
machine), and then copy your key (including any subkeys) to the hardware 
device for use on your other machines.

To copy key material to a hardware device without deleting the master 
copy from disk, use the `keytocard` command of `gpg --edit-key`, but DO 
NOT SAVE, make sure instead to `quit` without saving. You may want to 
keep a backup of your .gnupg directory just in case.

On your other machine, first get a copy of your public key (by whatever 
means: email, scp, keyservers...). Then plug in the hardware device and 
incant `gpg --card-status`. It should automatically associate the 
private key on your card/yubikey with your public key, and you're good 
to go. You can use the same card on as many machines as you like, or you 
can make multiple cards.

Using a tamper-proof hardware device like this also ensures that you 
don't accidentally leave private key material somewhere you shouldn't 
(you should use a secure passphrase of course, but belt and braces never 
hurts).

If you need to use gpg on a remote machine without physical access, it 
may be worth looking into agent forwarding. The UX is a little less 
mature than cards but I've got it successfully working on a couple of 
machines. Where agent forwarding tends to go wrong is if you use the 
same machine both via the physical terminal and remotely - switching 
easily between these modes remains a work in progress.

A

On 18/02/2021 21:35, Luke via Gnupg-users wrote:
> Hi there,
> 
> 
> I've been using gpg on a basic level for some time now (signing commits, 
> mails, using pass[1]) on different computers and phones, and have never 
> cared much for tweaking as it seemed unnecessary. Now I've seen here and 
> there that it would make more sense for me to use subkeys for devices, 
> so that they all refer to the same identity (me). Reading this, it felt 
> like the good, logical thing to do. Yet, after checking some existing 
> threads of this mailing list through the archive system, it seems that 
> if the subkey subject is brought up, the usual response is "just stick 
> to gpg defaults and that's it". However, these threads usually involve a 
> person that has a single device and looks for better security for this 
> one device.
> 
> Now in the case of multiple device, not using subkeys would mean 
> creating different keypais, and different identities, which doesn't 
> sound nice, right?
> 
> [1] https://www.passwordstore.org/
> 
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
> 


-- 
Andrew Gallagher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210219/697ba37d/attachment.sig>

More information about the Gnupg-users mailing list