Forward entire gnupg $HOME

john doe johndoe65534 at mail.com
Thu Sep 5 08:59:16 CEST 2019


On 9/4/2019 10:41 PM, Andre Klärner wrote:
> Hi all,
>
> is there a way to properly shared the entire keyring and trust settings
> between two machines?
>
> My use case is the following:
>
> Mutt, my email client, runs on a containerized mailserver on another machine
> right under my desk.
>
> My GPG key is stored on a Yubikey attached to my workstation (another
> physical machine compared to the mailserver's host system)
>
> I usually use my workstation to do everything, but since I can't access my
> mailbox via NFS anymore (different story), I resorted to sshing into my
> email server, and doing all the mailing needs right there, locally.
>
> My Yubikey also is used as the SSH key for everything, and hence plugged
> into my workstation.
>
> After following https://wiki.gnupg.org/AgentForwarding and batteling with
> the autostarting gpg-agent (fixed with no-autostart in the remote system's
> gpg.conf), masking all but the dirmngr systemd socket and service units, and
> struggeling with the removal of /run/user/1000/gnupg on logout, I finally
> got it to work. (Nice how the last one doesn't matter, if dirmngr.socket is
> enabled.)
>
> Now I have another problem: my main machine knows all my internet friend's
> keys, my mailserver not. I can of cause gpg --export, scp and gpg --import,
> but that is nothing scalable and needs to be repeated over and over again
> when anything changes.
>
> Do I expect to much, or is this simply and typically invalid usecase?
> Is there a simpler way to configure a remote GPG just for a session, so
> that it uses another socket to connect to the gpg-agent (I also sign git
> commits, sometimes with etckeeper even on remote machines).
>

The obvious solution would be to use mutt on your work station! :)
I would also use one signing key per device on which you need to sign
commits/tags/...
That way if one device is compromised you simply revoke that subkey.

Sorry for not directly answering your question!

--
John Doe



More information about the Gnupg-users mailing list