Best practice for multiple-client use keys
danolo at danoloan.es
danolo at danoloan.es
Sat Jan 14 10:14:03 UTC 2023
I'm doing 1, with around 5 devices. The N2 is not still a problem for me but it is a problem regardless. A solution would be to extend pass (and other clients) to support creation of private keys and fetching the missing public keys from a keyserver. I've not had the time to try and implement this extension myself yet.
14 ene 2023, 9:58 por pws at fermi.franken.de:
> Hello,
>
> I would like to use pass in a situation where a number of PCs/laptops all have access to the keystore, as well as one or two mobile devices. We can assume the laptops to be a mix of linux and windows. The mobile devices are Android. I have a git server running in my home network.
>
> My question is what are best practices when it comes to (pgp) key management in this situation, and the documentation seems fairly light in this respect.
>
> From what I can see, there are two options.
>
> 1) Create a different public/private key pair for each machine, and encrypt the store for all of them (i.e. pass init with multiple keys).
>
> I have successfully done this but it is a N² problem -- every time a new machine is added, its public key needs to be distributed to all the different machines. This becomes unwieldy very soon, specifically if you take into account that the public keys should really be signed by a master key. And if you forget to do a pass git pull/push around the operations and need to merge -- specifically with the .gpg-id file -- then things become a bit scary.
>
> I have toyed with the idea of setting up a keyserver but discarded that for now as it seemed to be more complexity than I was ready for.
>
> 2) Stick with one key pair, and distribute the private key to all machines.
>
> This avoids the N² problem and seems operationally easier all around. However, there appear to be two different problems with this approach:
>
> a) Shipping private keys around is generally frowned upon. It runs counter the entire public/private key setup at the heart of pgp. Also, the keys still somehow need to be verified so the process can't be quite automated.
>
> b) It seems easy enough to build a script with scp/ssh to do the key distribution to a new machine, but there is no straightforward way to do the same with a mobile device, or even with a windows laptop.
>
>
> So my question is, how are others handling this situation, and am I overlooking an option? Should I be looking at 1) with a keyserver?
>
> Thanks for your help,
>
> - Wolfgang
>
More information about the Password-Store
mailing list