Managing GPG keys with YADM

[atifraza]

This question is about

• Installation
• Initializing / Cloning
• Alternate files
• Jinja templates
• Encryption
• Bootstrap
• Hooks
• Other

Is it a good idea to manage my GPG keys with YADM?

If so, can you suggest a starting patterns to include in the .config/yadm/encrypt file, so that GPG keys also get encrypted alongwith my SSH keys.

Thanks.

[TheLocehiliosan]

GPG maintains keys within a keyring. If you want to backup keys, they'll need to be exported.

You could create a script which exports your keys (to a directory with locked down permissions), and then put a pattern in .config/yadm/encrypt which refers to those keys. Public keys you've added to can also be exported (along with the owner trust data). Here's an example script to export that data.

#!/bin/bash
EXPORT_PATH="$HOME/.gnupg/.exported-keyring"
if [ -d "$EXPORT_PATH" ]; then
  chmod 0700 "$EXPORT_PATH"
else
  mkdir -m 0700 -p "$EXPORT_PATH"
fi
if [ ! -d "$EXPORT_PATH" ]; then
  echo "Unable to create dir $EXPORT_PATH"
  echo "Aborting"
  exit 1
else
  echo "Exporting private key to $EXPORT_PATH"
  gpg -a --export-secret-key -o "$EXPORT_PATH/private-key.asc"
  echo "Exporting public keyring to $EXPORT_PATH"
  for key in $(gpg -k --with-colons | grep pub -A 1 | grep fpr | cut -d: -f10); do
    echo "  Key: $key"
    gpg -a --export "$key" >> "$EXPORT_PATH/${key}.asc"
    chmod 0600 "$EXPORT_PATH/${key}.asc"
  done
  echo "Exporting ownertrust to $EXPORT_PATH"
  gpg --export-ownertrust > "$EXPORT_PATH/ownertrust.txt"
  chmod 0600 "$EXPORT_PATH/ownertrust.txt"
fi

A pattern of .gnupg/.exported-keyring/* could be put into .config/yadm/config.

Of course, after cloning/updating and decrypting, you'll need to import the keys/ownertrust. Something like this:

gpg --import "$HOME/.gnupg/.exported-keyring"/*.asc
gpg --import-ownertrust "$HOME/.gnupg/.exported-keyring"/ownertrust.txt

There may be other ways to handle this, but I'm not sure how portable the keyring databases are. It's possible you could just copy those, but it likely includes unnecessary data.

[rasa]

A chmod 600 was missed, so this is slightly more secure:

#!/bin/bash
umask 0077 # -rwx------
EXPORT_PATH="$HOME/.gnupg/.exported-keyring"
if [ -d "$EXPORT_PATH" ]; then
  chmod 0700 "$EXPORT_PATH"
else
  mkdir -m 0700 -p "$EXPORT_PATH"
fi
if [ ! -d "$EXPORT_PATH" ]; then
  echo "Unable to create dir $EXPORT_PATH"
  echo "Aborting"
  exit 1
fi
echo "Exporting private key to $EXPORT_PATH"
gpg -a --export-secret-key -o "$EXPORT_PATH/private-key.asc"
echo "Exporting public keyring to $EXPORT_PATH"
for key in $(gpg -k --with-colons | grep pub -A 1 | grep fpr | cut -d: -f10); do
  echo "  Key: $key"
  gpg -a --export "$key" >> "$EXPORT_PATH/${key}.asc"
done
echo "Exporting ownertrust to $EXPORT_PATH"
gpg --export-ownertrust > "$EXPORT_PATH/ownertrust.txt"

[atifraza]

Hi again,

I finally tried your suggestions and managed to export my GPG and SSH keys in encrypted form along with the dotfiles.
Instead of exporting individual public keys, I exported all of them in a single asc file.

Follow-up questions:

1. Why export the public keys as separate asc files when a single file would suffice?
2. When a umask is set upfront, is there still a reason to create the files/directories with an explicit mask?

Thanks.

[rasa]

@atifraza you asked:

When a umask is set upfront, is there still a reason to create the files/directories with an explicit mask?

No, there isn’t, so you could safely change:

mkdir -m 0700 -p "$EXPORT_PATH"

to

mkdir -p "$EXPORT_PATH"

[TheLocehiliosan]

1. Why export the public keys as separate asc files when a single file would suffice?

A single file could be fine. I think I suggested this way, so each public key added was identified via fingerprint. It would allow for things like, reviewing Git history and easily determining when particular keys were added/updated/etc.

2. When a umask is set upfront, is there still a reason to create the files/directories with an explicit mask?

Nope, the example I created didn't use umask, but that's a better way to handle it. 👍