I'm doing 1, with around 5 devices. The N2 is not still a problem for me but it is a problem regardless. A solution would be to extend pass (and other clients) to support creation of private keys and fetching the missing public keys from a keyserver. I've not had the time to try and implement this extension myself yet.
14 ene 2023, 9:58 por [email protected]: > Hello, > > I would like to use pass in a situation where a number of PCs/laptops all > have access to the keystore, as well as one or two mobile devices. We can > assume the laptops to be a mix of linux and windows. The mobile devices are > Android. I have a git server running in my home network. > > My question is what are best practices when it comes to (pgp) key management > in this situation, and the documentation seems fairly light in this respect. > > From what I can see, there are two options. > > 1) Create a different public/private key pair for each machine, and encrypt > the store for all of them (i.e. pass init with multiple keys). > > I have successfully done this but it is a N² problem -- every time a new > machine is added, its public key needs to be distributed to all the different > machines. This becomes unwieldy very soon, specifically if you take into > account that the public keys should really be signed by a master key. And if > you forget to do a pass git pull/push around the operations and need to merge > -- specifically with the .gpg-id file -- then things become a bit scary. > > I have toyed with the idea of setting up a keyserver but discarded that for > now as it seemed to be more complexity than I was ready for. > > 2) Stick with one key pair, and distribute the private key to all machines. > > This avoids the N² problem and seems operationally easier all around. > However, there appear to be two different problems with this approach: > > a) Shipping private keys around is generally frowned upon. It runs counter > the entire public/private key setup at the heart of pgp. Also, the keys still > somehow need to be verified so the process can't be quite automated. > > b) It seems easy enough to build a script with scp/ssh to do the key > distribution to a new machine, but there is no straightforward way to do the > same with a mobile device, or even with a windows laptop. > > > So my question is, how are others handling this situation, and am I > overlooking an option? Should I be looking at 1) with a keyserver? > > Thanks for your help, > > - Wolfgang >
