[SOLVED] export GPG keys to multiple servers

[kearney]

See next post for solution

I am trying to export a secret key created on my local box to multiple servers. Let's say the key is 12345678.

The goal is to have 1 script which runs on all the servers to encrypt and
backup the data to S3. And 1 script to decrypt the data for restores.

currently i've done

Code:

gpg --output secret --export-secret-keys "Real name"
gpg --output public --export "Real name"

secret & public have been scp'd to the servers.

From the servers I ran

Code:

gpg --import secret
gpg --import public

Now, when I try to encrypt the data

Code:

gpg --recipient 12345678 --encrypt file

I get

gpg: 12345678: There is no assurance this key belongs to the named user
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.

I don't have a public key so I can't use gpg --sign-key.

Do I need to create a public key on the new servers?
If I create a public keys can the same script be used to "decrypt"
the data for restores?

How can I import the keys on the servers so the servers can encrypt
data? And data can be decrypted using the key ( 12345678 )?

I know this will work

Code:

gpg --encrypt-to 12345678 --encrypt file

but this is not an option.

[kearney]

I needed to use Duplicity to backup server directories to Amazon S3.

Duplicity uses GnuPG to encrypt the data so that no one can read it.

I followed a guide for setting up Duplicity and S3 created by Randy to create "The script"

So, my task was create 1 script to be deployed across my servers
which would backup the directories. And should any server die,
have the ability to SCP the public and private keys to that server so that
restoration could occur automatically and backups could occur after restoration.

Here's what to do

1. Generat the private and public keys

Code:

gpg --gen-key

answer all the questions. We'll assume the key created was 12345678. And the
name you entered (Real name) is "Real name"

now create backups of your keys

Code:

gpg --output secret --export-secret-keys "Real name"
gpg --output public --export "Real name"

so, let's pretend, server dies. You get the OS installed on the new server (server2) now you're ready get your files off of Amazon S3

scp the secret and public keys to server2

Code:

#scp secret public root@server2:

now, from server2 import the keys

Code:

# gpg --import secret public

now, here comes the tricky part, you must tell GPG to trust these keys to
avoid the error

gpg: There is no assurance this key belongs to the named user

Code:

server2# gpg --edit-key 12345678

Secret key is available.

Command> trust
pub  1024D/12345678  created: 2009-09-25  expires: never       usage: SC
                     trust: unknown       validity: unknown
sub  2048g/87654321  created: 2009-09-25  expires: never       usage: E
[ unknown] (1). Real name (comment) <some@email.com>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

Command> save

server2#

now you can encrypt/decrypt things using the keys generated in step 1 on this
new server