Find the answer to your Linux question:
Results 1 to 2 of 2
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2009
    Austin, TX

    [SOLVED] export GPG keys to multiple servers

    See next post for solution

    I am trying to export a secret key created on my local box to multiple servers. Let's say the key is 12345678.

    The goal is to have 1 script which runs on all the servers to encrypt and
    backup the data to S3. And 1 script to decrypt the data for restores.

    currently i've done

    gpg --output secret --export-secret-keys "Real name"
    gpg --output public --export "Real name"
    secret & public have been scp'd to the servers.

    From the servers I ran

    gpg --import secret
    gpg --import public
    Now, when I try to encrypt the data

    gpg --recipient 12345678 --encrypt file
    I get

    gpg: 12345678: There is no assurance this key belongs to the named user
    It is NOT certain that the key belongs to the person named
    in the user ID. If you *really* know what you are doing,
    you may answer the next question with yes

    I don't have a public key so I can't use gpg --sign-key.

    Do I need to create a public key on the new servers?
    If I create a public keys can the same script be used to "decrypt"
    the data for restores?

    How can I import the keys on the servers so the servers can encrypt
    data? And data can be decrypted using the key ( 12345678 )?

    I know this will work
    gpg --encrypt-to 12345678 --encrypt file
    but this is not an option.

  2. #2
    Just Joined!
    Join Date
    Sep 2009
    Austin, TX

    Found Solution

    I needed to use Duplicity to backup server directories to Amazon S3.

    Duplicity uses GnuPG to encrypt the data so that no one can read it.

    I followed a guide for setting up Duplicity and S3 created by Randy to create "The script"

    So, my task was create 1 script to be deployed across my servers
    which would backup the directories. And should any server die,
    have the ability to SCP the public and private keys to that server so that
    restoration could occur automatically and backups could occur after restoration.

    Here's what to do

    1. Generat the private and public keys
    gpg --gen-key
    answer all the questions. We'll assume the key created was 12345678. And the
    name you entered (Real name) is "Real name"

    now create backups of your keys
    gpg --output secret --export-secret-keys "Real name"
    gpg --output public --export "Real name"
    so, let's pretend, server dies. You get the OS installed on the new server (server2) now you're ready get your files off of Amazon S3

    scp the secret and public keys to server2
    #scp secret public root@server2:
    now, from server2 import the keys
    # gpg --import secret public
    now, here comes the tricky part, you must tell GPG to trust these keys to
    avoid the error

    gpg: There is no assurance this key belongs to the named user

    server2# gpg --edit-key 12345678
    Secret key is available.
    Command> trust
    pub  1024D/12345678  created: 2009-09-25  expires: never       usage: SC
                         trust: unknown       validity: unknown
    sub  2048g/87654321  created: 2009-09-25  expires: never       usage: E
    [ unknown] (1). Real name (comment) <>
    Please decide how far you trust this user to correctly verify other users' keys
    (by looking at passports, checking fingerprints from different sources, etc.)
      1 = I don't know or won't say
      2 = I do NOT trust
      3 = I trust marginally
      4 = I trust fully
      5 = I trust ultimately
      m = back to the main menu
    Your decision? 5
    Do you really want to set this key to ultimate trust? (y/N) y
    Command> save
    now you can encrypt/decrypt things using the keys generated in step 1 on this
    new server

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts