LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   export GPG keys to multiple servers (https://www.linuxquestions.org/questions/linux-security-4/export-gpg-keys-to-multiple-servers-758251/)

Kearneyman 09-28-2009 10:53 AM
export GPG keys to multiple servers
 
I need to use Duplicity to backup server directories to Amazon S3.

Duplicity uses GnuPG to encrypt the data so that no one can read it.

I followed this guide to create "The script"

So, my task was create 1 script to be deployed across my servers which would backup the directories. And should any server die, have the ability to SCP the public and private keys to that server so that restoration could occur automatically and backups could occur after restoration.

Here's what to do

1. Generate the private and public keys
Code:
gpg --gen-key
answer all the questions. We'll assume the key created was 12345678. And the name you entered (Real name) is "Real name"

now create backups of your keys
Code:
gpg --output secret --export-secret-keys "Real name"
gpg --output public --export "Real name"
so, let's pretend, server dies. You get the OS installed on the new one

scp the secret and public keys to server2
Code:
#scp secret public root@server2:
now, from server2 import the keys
Code:
# gpg --import secret public
now, here comes the tricky part, you must tell GPG to trust these keys to avoid the error

gpg: There is no assurance this key belongs to the named user

Code:
server2# gpg --edit-key 12345678
Secret key is available.

Command> trust
pub  1024D/12345678  created: 2009-09-25  expires: never      usage: SC
                    trust: unknown      validity: unknown
sub  2048g/87654321  created: 2009-09-25  expires: never      usage: E
[ unknown] (1). Real name (comment) <some@email.com>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

Command> save

server2#
now you can encrypt/decrypt things using the keys generated in step 1 on this new server

Kearneyman 09-28-2009 11:10 AM
If you any questions or suggestions, please feel free to ask/post.

anomie 09-28-2009 03:49 PM
Is this a question or a howto? ;)

As an alternative to using the interactive session to establish trust, you can:
Code:
$ gpg --export-ownertrust
(Then --import-ownertrust on the target host.)

Kearneyman 09-29-2009 10:17 AM
Quote:
Originally Posted by anomie (Post 3699817)
Is this a question or a howto? ;)

As an alternative to using the interactive session to establish trust, you can:
Code:
$ gpg --export-ownertrust
(Then --import-ownertrust on the target host.)
LOL. First it was a question. Then after 3 hours I figured it out, and so I thought I'd post the solution. :hattip:

Thanks for that command though. I just started learning GPG last week.

So, to clarify, on the server I created the GPG keys, say server1, I would issue the command
Code:
gpg --export-ownertrust "Real name" |
and pipe that to server2
Code:
gpg --import-ownertrust
Like this? Or am I mistaken?

Code:
gpg --export-ownertrust | ssh server2 --import-ownertrust
Again, thanks for your help. I really appreciate it.

I hope this helps a lot of people who want/need to accomplish this task.

anomie 09-29-2009 10:30 AM
I'm not sure if you can specify real name in that fashion -- I have only exported / imported the entire trust db when I've used this. (But you can figure it out with a quick test.)

Anyway, yes - you have the gist of it.


All times are GMT -5. The time now is 08:07 AM.