Re: Syncing GnuPG between 2 system

2018-10-03 Thread mick crane 

On 2018-10-02 17:09, to...@tuxteam.de wrote:



You have the revocation key, don't you?


somewhere safe hopefully

--
Key ID4BFEBB31

Re: Syncing GnuPG between 2 system

2018-10-02 Thread tomas 
On Tue, Oct 02, 2018 at 12:11:32PM +0100, mick crane wrote:
> On 2018-09-30 18:39, deloptes wrote:
> 
> >Here is something I do not get - to encrypt I am asked for password - I
> >guess it is for my secret key, no?
> 
> with the mail GPG plugin I never use but tested between 2 email
> identities.
> you can choose to generate a passphrase when you first make key pair
> to encrypt you use the recipient public key and to decrypt they
> enter their passphrase

To complete this: your private key is stored in an encrypted form:
this is to reduce possible damage should anyone with access to
your data to steal your private key (they'd need the passphrase for
it).

If your account is compromised, you have at least the time to
revoke your key while "they" brute-force its encryption...

You have the revocation key, don't you?

Cheers
-- tomás


signature.asc
Description: Digital signature

Re: Syncing GnuPG between 2 system

2018-10-02 Thread mick crane 

On 2018-09-30 18:39, deloptes wrote:


Here is something I do not get - to encrypt I am asked for password - I
guess it is for my secret key, no?


with the mail GPG plugin I never use but tested between 2 email 
identities.

you can choose to generate a passphrase when you first make key pair
to encrypt you use the recipient public key and to decrypt they enter 
their passphrase


mick

--
Key ID4BFEBB31

Re: Syncing GnuPG between 2 system

2018-09-30 Thread deloptes 
Teemu Likonen wrote:

> Encryption requires recipient's public [E] key only. It seems that, in
> addition to encrypting, you are also signing the message. For that you
> need a secret (sub)key that has signing capability [S].

Thank you! It is exactly how it is.

Re: Syncing GnuPG between 2 system

2018-09-30 Thread Teemu Likonen 
delop...@gmail.com [2018-09-30 19:39:03+02] wrote:

> Teemu Likonen wrote:
>> No. To encrypt you need recipients' public keys which have an encryption
>> capability [E]. Usually there is an encryption subkey. To decrypt you
>> need the secret key which is associated with the public [E] key that was
>> used to encrypt.
>
> Here is something I do not get - to encrypt I am asked for password -
> I guess it is for my secret key, no?

Encryption requires recipient's public [E] key only. It seems that, in
addition to encrypting, you are also signing the message. For that you
need a secret (sub)key that has signing capability [S].

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature

Re: Syncing GnuPG between 2 system

2018-09-30 Thread deloptes 
Teemu Likonen wrote:

> delop...@gmail.com [2018-09-30 01:09:05+02] wrote:
> 
>> A key is associated with identity -> the email. With the sub keys you
>> can add more identities.
> 
> No. OpenPGP key's user id's (name, comment, email) are with the public
> master key, not with subkeys.
> 

OK, sorry for adding the sub there - one couldadd more identities to the key
and sign/encrypt with the key

>> Still to encrypt you need the private key.
> 
> No. To encrypt you need recipients' public keys which have an encryption
> capability [E]. Usually there is an encryption subkey. To decrypt you
> need the secret key which is associated with the public [E] key that was
> used to encrypt.

Here is something I do not get - to encrypt I am asked for password - I
guess it is for my secret key, no?

Re: Syncing GnuPG between 2 system

2018-09-30 Thread Teemu Likonen 
delop...@gmail.com [2018-09-30 01:09:05+02] wrote:

> A key is associated with identity -> the email. With the sub keys you
> can add more identities.

No. OpenPGP key's user id's (name, comment, email) are with the public
master key, not with subkeys.

> Still to encrypt you need the private key.

No. To encrypt you need recipients' public keys which have an encryption
capability [E]. Usually there is an encryption subkey. To decrypt you
need the secret key which is associated with the public [E] key that was
used to encrypt.

-- 
/// Teemu Likonen   - .-..    //
// PGP: 4E10 55DC 84E9 DFF6 13D7 8557 719D 69D3 2453 9450 ///


signature.asc
Description: PGP signature

Re: Syncing GnuPG between 2 system

2018-09-29 Thread deloptes 
Jim Popovitch wrote:

> On Sat, 2018-09-29 at 09:50 -0400, Roberto C. Sánchez wrote:
>> If all you care about is the public keys for verifying signatures,
>> then I say don't bother trying to proactively sync.  Just let each
>> system get keys and key updates from the public keyservers as needed.
> 
> OK, that makes sense, and seems to be the popular opinion.
> 
>> Your original message seemed to inidicate that you wanted to both
>> verify signatures and also produce signatures on multiple
>> machines.  That was why I provided the link to the article on subkeys,
>> as I consider that to be the only sensible way to have signing
>> capabilities on multitple devices related to a single GnuPG
>> key.  Perhaps I misread your email in that regard.
> 
> 
> You read my email correctly.  I did quickly read and have bookmarked
> your link.  Thank you for that.
> 

IMO you sign based on the e-mail you use. IMO it is confusing with multiple
machines. A key is associated with identity -> the email.
With the sub keys you can add more identities. 
Still to encrypt you need the private key. It is sufficient to update the
private key on the other machines. You usually do not copy it over internet
connection. Some people use secure key cards, other encrypted usb sticks or
md/sd whatever cards.

the public keys are uploaded to the key server after updated (for example
signed by you) and downloaded/updated on the other machines when needed.

It is up to you to decide how you handle your security. It is a sensitive
topic, so general reading and understanding of the matter is required,
before proceeding in real life.

regards

Re: Syncing GnuPG between 2 system

2018-09-29 Thread Jim Popovitch 
On Sat, 2018-09-29 at 09:50 -0400, Roberto C. Sánchez wrote:
> If all you care about is the public keys for verifying signatures,
> then I say don't bother trying to proactively sync.  Just let each
> system get keys and key updates from the public keyservers as needed.

OK, that makes sense, and seems to be the popular opinion.

> Your original message seemed to inidicate that you wanted to both
> verify signatures and also produce signatures on multiple
> machines.  That was why I provided the link to the article on subkeys,
> as I consider that to be the only sensible way to have signing
> capabilities on multitple devices related to a single GnuPG
> key.  Perhaps I misread your email in that regard.


You read my email correctly.  I did quickly read and have bookmarked
your link.  Thank you for that.

-Jim P.

signature.asc
Description: This is a digitally signed message part

Re: Syncing GnuPG between 2 system

2018-09-29 Thread Roberto C . Sánchez 
On Sat, Sep 29, 2018 at 09:37:43AM -0400, Jim Popovitch wrote:
> 
> I get the secret key part.  Are you saying to forget about syncing
> public keys (from other's emails) and just let each client download
> those from a public keyserver? If so, I may be over thinking the need to
> sync GnuPG between devices.  H.
> 
If all you care about is the public keys for verifying signatures, then
I say don't bother trying to proactively sync.  Just let each system get
keys and key updates from the public keyservers as needed.

Your original message seemed to inidicate that you wanted to both verify
signatures and also produce signatures on multiple machines.  That was
why I provided the link to the article on subkeys, as I consider that to
be the only sensible way to have signing capabilities on multitple
devices related to a single GnuPG key.  Perhaps I misread your email in
that regard.

Regards,

-Roberto

-- 
Roberto C. Sánchez

Re: Syncing GnuPG between 2 system

2018-09-29 Thread Jim Popovitch 
On Sat, 2018-09-29 at 09:16 +0200, deloptes wrote:
> Jim Popovitch wrote:
> 
> > Copying .gnupg is simple and easy, but not quite what I'm looking
> > for. Imagine having to copy your email folders or address book from
> > system to system, instead of using something like IMAP.  I suppose I
> > could build something that uses WebDav to sync .gnupg... I was just
> > hoping somethinglike that existed.
> 
> you definitely do not want to upload your secret key anywhere. 

Well of course not, and that is not what this question is about. ;-) 
You certainly don't want to sync your email account password either, nor
your mothers maiden name. ;-)

> Keep your private key secret and use a keyserver for the public keys.
> When you have this setup IMAP is not an issue.

I get the secret key part.  Are you saying to forget about syncing
public keys (from other's emails) and just let each client download
those from a public keyserver? If so, I may be over thinking the need to
sync GnuPG between devices.  H.

> and BTW no one said that you should copyyour mail folder.

I'm the one who brought that up, as an example, because someone (you?)
was saying to copy files around from box to box.  I mentioned IMAP as an
alternative to copying email files/folders, and that I was looking for a
similar technique for GnuPG.

-Jim P.

signature.asc
Description: This is a digitally signed message part

Re: Syncing GnuPG between 2 system

2018-09-29 Thread deloptes 
Jim Popovitch wrote:

> Copying .gnupg is simple and easy, but not quite what I'm looking for.
> Imagine having to copy your email folders or address book from system to
> system, instead of using something like IMAP.  I suppose I could build
> something that uses WebDav to sync .gnupg... I was just hoping something
> like that existed.

you definitely do not want to upload your secret key anywhere. Keep your
private key secret and use a keyserver for the public keys. When you have
this setup IMAP is not an issue. and BTW no one said that you should copy
your mail folder.

regards

Re: Syncing GnuPG between 2 system

2018-09-28 Thread Jim Popovitch 
On Sat, 2018-09-29 at 01:45 +0200, deloptes wrote:
> Roberto C. Sánchez wrote:
> 
> > You may find this article helpful:
> > 
> > http://www.connexer.com/articles/openpgp-subkeys
> 
> I think that a copy of .gnupg directory would mostly work.
> If OP wants to be able to sign or encrypt with same key from more
> machines, I agree the link is useful, but overcomplicated
> 
> Copy of the .gnupg will give the base and  each intervention should be
> synced with the key server, so that the clients are subsequently in
> sync

Copying .gnupg is simple and easy, but not quite what I'm looking for. 
Imagine having to copy your email folders or address book from system to
system, instead of using something like IMAP.  I suppose I could build
something that uses WebDav to sync .gnupg... I was just hoping something
like that existed.

-Jim P.

signature.asc
Description: This is a digitally signed message part

Re: Syncing GnuPG between 2 system

2018-09-28 Thread deloptes 
Roberto C. Sánchez wrote:

> You may find this article helpful:
> 
> http://www.connexer.com/articles/openpgp-subkeys

I think that a copy of .gnupg directory would mostly work.
If OP wants to be able to sign or encrypt with same key from more machines,
I agree the link is useful, but overcomplicated

Copy of the .gnupg will give the base and  each intervention should be
synced with the key server, so that the clients are subsequently in sync

regards

Re: Syncing GnuPG between 2 system

2018-09-28 Thread Roberto C . Sánchez 
On Fri, Sep 28, 2018 at 11:33:44AM -0400, Jim Popovitch wrote:
> Hello!
> 
> What is the best way to maintain consistency of a user's gnupg
> signing/verifying capabilities between 2 or more desktop systems?
> 

You may find this article helpful:

http://www.connexer.com/articles/openpgp-subkeys

It is a bit dated, but I still follow the procedure every year when I
extend the expiration of my subkeys.

Essentially, what you want is a primary secret key that remains offline
(except for when you need to sign other keys and to extend the
expiration of the primary and/or subkeys, if you choose to give them
expiration dates).  Then, the multiple devices each get a signing subkey
which can be used for signing only.

The only thing not covered in the article is the verifying part, but
that is a simple sync of ~/.gnupg/pubring.gpg.  You can probably do that
via cron or some other file sync approach (maybe that detects when you
connect to your home network or whatever).

If you really only care about signing and verifying then that is pretty
much it.  However, note (as covered in the article) if you want to
decrypt you will need to copy the same encryption subkey to every
device.  This is because while a given primary GPG key can have an
aribtrary number of signing subkeys, it only makes sense to have one
encryption subkey (I am not sure if that is also enforced on the
technical side).

Regards,

-Roberto

-- 
Roberto C. Sánchez

Syncing GnuPG between 2 system

2018-09-28 Thread Jim Popovitch 
Hello!

What is the best way to maintain consistency of a user's gnupg
signing/verifying capabilities between 2 or more desktop systems?

tia,

-Jim P.

signature.asc
Description: This is a digitally signed message part