I'd like to tell you about the packaging work I've done with relation to cryptographic key management. There are 3 main packages that are related to it:
- gnupg_agent - pinentry - keychain The idea is to hold an unlocked key in the memory, using gpg-agent. When you need to use your private key, gpg talks to gpg-agent, which provides it with an unlocked key. In this way, you can browse e-mail encrypted to you without typing in your password each time you want to open an encrypted e-mail. Pinentry is a small utility which allows entering passwords to gpg-agent. I've compiled two backends, gtk2 and curses. The way to use the agent-pinentry-keychain combo: - install the three packages - put the following lines in your shell configuration (e.g. ~/.bash_profile) keychain 1234ABCD . ~/.keychain/$HOSTNAME-sh-gpg ...where 1234ABCD is your gpg key's shortened fingerprint. If you also want to do the same thing (unlock a key) with ssh keys, you can do: keychain id_dsa id_rsa 1234ABCD . ~/.keychain/$HOSTNAME-sh . ~/.keychain/$HOSTNAME-sh-gpg Use id_dsa and/or id_rsa depending on which keys you have. This is a more secure way to provide paswordless ssh logins, compared to unprotected private ssh keys. After putting the configuration into your shell run control file / config file, you'll be asked to unlock your keys during login. Your unlocked key will be preserved between shell sessions and will expire with time. The gnupg_agent can be used with both gpg 1.x and 2.x. It's available as part of gpg 2.x source distribution, so I've packaged it separately. gnupg_agent is in testing/. Maciej _______________________________________________ maintainers mailing list [email protected] https://lists.opencsw.org/mailman/listinfo/maintainers
