On 9/4/2019 10:41 PM, Andre Klärner wrote: > Hi all, > > is there a way to properly shared the entire keyring and trust settings > between two machines? > > My use case is the following: > > Mutt, my email client, runs on a containerized mailserver on another machine > right under my desk. > > My GPG key is stored on a Yubikey attached to my workstation (another > physical machine compared to the mailserver's host system) > > I usually use my workstation to do everything, but since I can't access my > mailbox via NFS anymore (different story), I resorted to sshing into my > email server, and doing all the mailing needs right there, locally. > > My Yubikey also is used as the SSH key for everything, and hence plugged > into my workstation. > > After following https://wiki.gnupg.org/AgentForwarding and batteling with > the autostarting gpg-agent (fixed with no-autostart in the remote system's > gpg.conf), masking all but the dirmngr systemd socket and service units, and > struggeling with the removal of /run/user/1000/gnupg on logout, I finally > got it to work. (Nice how the last one doesn't matter, if dirmngr.socket is > enabled.) > > Now I have another problem: my main machine knows all my internet friend's > keys, my mailserver not. I can of cause gpg --export, scp and gpg --import, > but that is nothing scalable and needs to be repeated over and over again > when anything changes. > > Do I expect to much, or is this simply and typically invalid usecase? > Is there a simpler way to configure a remote GPG just for a session, so > that it uses another socket to connect to the gpg-agent (I also sign git > commits, sometimes with etckeeper even on remote machines). >
The obvious solution would be to use mutt on your work station! :) I would also use one signing key per device on which you need to sign commits/tags/... That way if one device is compromised you simply revoke that subkey. Sorry for not directly answering your question! -- John Doe _______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
