Distributed symmetric key management
I have various directories that I need to keep in sync on various machines. To do so, I would like to, say, once a week, tar the directories, encrypt them and push them on the internet. On other machines I'd pull accordingly. This process itself is quite simple. I can come up with some bash magic for that. Here's the tricky part: Each directory has a key attached to it. My main machine, which pushes all changes, has 'access' to all keys. My other machines just 'have' a subset of all keys. I do not think asymmetric encryption makes much sense here. Rather than that, I'd use symmetric encryption using keys generated with 'gpg2 --gen-random 2'. When I am setting up a new machine, I can distribute the keys that I need on that machine using a safe exchange medium. Here's basically what I have: Machine A (main machine): keys: project-a key, project-b key, private-stuff key directory project-a directory project-b directory private-stuff Machine B: keys: project-a key, project-b key directory project-a directory project-b Machine C: keys: private-stuff key directory private-stuff Machine A pushes project-a, project-b and private-stuff, encrypting with the according keys. Machine B pulls project-a and project-b, decrypting with the keys it 'has', Machine C pulls private-stuff. So, here is the problem. How can I keep track of the keys? I do not like having them as plain text files laying in some directory. Does gpg-agent have some way of keeping them in a keyring? If not, I am also using gnome-keyring which can store passwords. Is there any method to forward keys from gnome-keyring to gpg2? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
Ok, Thanks David, But what if the file is signed by people working on different computers? So they will had their signature on the current separate file (correesponding to the people who already signed a specific file). Koushkov 2010/6/18 David Shaw > On Jun 17, 2010, at 11:33 PM, Boris wrote: > > > Hi, > > > > I would like to know if there is a way to add multiple signatures for a > file (in a separate file) and check who signed with just one command (so not > by signing a signed file...). > > Sure. > > gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign > > You'll end up with a file-to-sign.sig that contains all three signatures. > When you verify file-to-sign.sig, all three signatures will be checked. > > Alternately, you can do the same "multiple signer" trick with regular > --sign if you want the data and signatures to be put together into a single > file. > > David > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Multiple signatures
Thank you very much David It is exactly what I wanted 2010/6/18 David Shaw > > On Jun 17, 2010, at 11:33 PM, Boris wrote: > > > > > Hi, > > > > > > I would like to know if there is a way to add multiple signatures for a > file (in a separate file) and check who signed with just one command (so not > by signing a signed file...). > > > > Sure. > > > > gpg -u signer_1 -u signer_2 -u signer_3 --detach-sign file-to-sign > > > > You'll end up with a file-to-sign.sig that contains all three signatures. > When you verify file-to-sign.sig, all three signatures will be checked. > > > > Alternately, you can do the same "multiple signer" trick with regular > --sign if you want the data and signatures to be put together into a single > file. > > On Jun 18, 2010, at 9:14 AM, Boris wrote: > > > Ok, Thanks David, > > > > But what if the file is signed by people working on different computers? > > So they will had their signature on the current separate file > (correesponding to the people who already signed a specific file). > > If you want a bunch of people all signing the same file, have each signer > do this: > > gpg -u signer-X -o signer-X-signature --detach-sign file-to-sign > > Then have them all send you their "file-to-sign.sig" files. You create a > file containing all of them: > > cat signer-1-signature signer-2-signature signer-3-signature > > file-to-sign.sig > > Then anyone can verify file-to-sign.sig against the original file-to-sign > and see all the signatures verified. > > David > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Multiple signatures
Hi, I would like to know if there is a way to add multiple signatures for a file (in a separate file) and check who signed with just one command (so not by signing a signed file...). Thanks, Koushkov ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
