Den 14/01/2023 10:58, skreiv Wolfgang Schildbach:
My question is what are best practices when it comes to (pgp) key
management in this situation, and the documentation seems fairly light
in this respect.
From what I can see, there are two options.
1) Create a different public/private key pair for each machine, and
encrypt the store for all of them (i.e. pass init with multiple keys).
I have successfully done this but it is a N² problem -- every time a new
machine is added, its public key needs to be distributed to all the
different machines. This becomes unwieldy very soon, specifically if you
take into account that the public keys should really be signed by a
master key. And if you forget to do a pass git pull/push around the
operations and need to merge -- specifically with the .gpg-id file --
then things become a bit scary.
I have toyed with the idea of setting up a keyserver but discarded that
for now as it seemed to be more complexity than I was ready for.
There is a simpler version: Add the public key to your pass Git repo so
it can be easily imported on all the other hosts. Whether you trust the
new key explicitly on each host or you sign it using your trusted master
key is up to you, I guess it will depend on how many hosts there are.
You need the full set of public keys to do a new pass init, but they
need to be trusted.
--
Kjetil T. Homme
Redpill Linpro - Changing the game