-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Managing GPG keys with YADM #201
Comments
GPG maintains keys within a keyring. If you want to backup keys, they'll need to be exported. You could create a script which exports your keys (to a directory with locked down permissions), and then put a pattern in .config/yadm/encrypt which refers to those keys. Public keys you've added to can also be exported (along with the owner trust data). Here's an example script to export that data. #!/bin/bash
EXPORT_PATH="$HOME/.gnupg/.exported-keyring"
if [ -d "$EXPORT_PATH" ]; then
chmod 0700 "$EXPORT_PATH"
else
mkdir -m 0700 -p "$EXPORT_PATH"
fi
if [ ! -d "$EXPORT_PATH" ]; then
echo "Unable to create dir $EXPORT_PATH"
echo "Aborting"
exit 1
else
echo "Exporting private key to $EXPORT_PATH"
gpg -a --export-secret-key -o "$EXPORT_PATH/private-key.asc"
echo "Exporting public keyring to $EXPORT_PATH"
for key in $(gpg -k --with-colons | grep pub -A 1 | grep fpr | cut -d: -f10); do
echo " Key: $key"
gpg -a --export "$key" >> "$EXPORT_PATH/${key}.asc"
chmod 0600 "$EXPORT_PATH/${key}.asc"
done
echo "Exporting ownertrust to $EXPORT_PATH"
gpg --export-ownertrust > "$EXPORT_PATH/ownertrust.txt"
chmod 0600 "$EXPORT_PATH/ownertrust.txt"
fi A pattern of Of course, after cloning/updating and decrypting, you'll need to import the keys/ownertrust. Something like this:
There may be other ways to handle this, but I'm not sure how portable the keyring databases are. It's possible you could just copy those, but it likely includes unnecessary data. |
A #!/bin/bash
umask 0077 # -rwx------
EXPORT_PATH="$HOME/.gnupg/.exported-keyring"
if [ -d "$EXPORT_PATH" ]; then
chmod 0700 "$EXPORT_PATH"
else
mkdir -m 0700 -p "$EXPORT_PATH"
fi
if [ ! -d "$EXPORT_PATH" ]; then
echo "Unable to create dir $EXPORT_PATH"
echo "Aborting"
exit 1
fi
echo "Exporting private key to $EXPORT_PATH"
gpg -a --export-secret-key -o "$EXPORT_PATH/private-key.asc"
echo "Exporting public keyring to $EXPORT_PATH"
for key in $(gpg -k --with-colons | grep pub -A 1 | grep fpr | cut -d: -f10); do
echo " Key: $key"
gpg -a --export "$key" >> "$EXPORT_PATH/${key}.asc"
done
echo "Exporting ownertrust to $EXPORT_PATH"
gpg --export-ownertrust > "$EXPORT_PATH/ownertrust.txt" |
Hi again, I finally tried your suggestions and managed to export my GPG and SSH keys in encrypted form along with the dotfiles. Follow-up questions:
Thanks. |
@atifraza you asked:
No, there isn’t, so you could safely change: mkdir -m 0700 -p "$EXPORT_PATH" to mkdir -p "$EXPORT_PATH" |
A single file could be fine. I think I suggested this way, so each public key added was identified via fingerprint. It would allow for things like, reviewing Git history and easily determining when particular keys were added/updated/etc.
Nope, the example I created didn't use umask, but that's a better way to handle it. 👍 |
This question is about
Is it a good idea to manage my GPG keys with YADM?
If so, can you suggest a starting patterns to include in the .config/yadm/encrypt file, so that GPG keys also get encrypted alongwith my SSH keys.
Thanks.
The text was updated successfully, but these errors were encountered: