Hi all, On Thu 05.09.2019 09:16:54, Erich Eckner via Gnupg-users wrote: > On Thu, 5 Sep 2019, john doe wrote: > > > On 9/4/2019 10:41 PM, Andre Klärner wrote: > >> Hi all, > >> > >> is there a way to properly shared the entire keyring and trust settings > >> between two machines? > > [ snip ] > > > The obvious solution would be to use mutt on your work station! :) > > I would also use one signing key per device on which you need to sign > > commits/tags/... > > That way if one device is compromised you simply revoke that subkey. > > While this would work for signing, it will not work for decryption.
It also would contradict my security model: there are exactly three copies of my private key: one in my Yubikey 5 NFC, one in my Yubikey 5 nano, one in my OpenPGP smartcard. There are no other keys at all. And unless I actively use one of them, they are all offline and not usable. The Yubikeys even go a step further: even plugged in and with my PIN used once they are not usable, unless someone is physically present to confirm the operation by touching them. Especially the last part is the main reason I was drawn to Yubikeys: our company uses SSH extensively, and due to Audit restrictions SSHAgentForwarding must be enabled so that the audit box can log all SSH plaintext traffic. But once I am logged on to one of our servers I have root access as many of our colleagues - so a knowledgable person easily can reuse my agent for anything else. With a physical confirmation required this is no longer a problem. So I hope you now know how my requirements came to be, and that simply using multiple subkeys doesn't scale. The only thing saving my is proper and secure forwarding. Thanks and best regards, Andre -- Andre Klärner
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
