Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: users

Secret Key replacement

  

 
GnuPG users RSS feed   Index | Next | Previous | View Threaded


SeidlS at schneider

Sep 1, 2009, 10:51 AM

Post #1 of 4 (578 views)
Permalink
Secret Key replacement
We use gnupg in an automated mode within the organization to encrypt/decrypt documents exchanged between companies. The Key Pair we have is expiring soon and I am replacing it with a new key pair. This new key would be provided to the other companies before the other expires.

I have a couple questions about the existing public keys we have imported to our key ring.
1 - it's my belief that I have to sign/trust each of the keys with the new secret key, is that correct?
2 - Is there any command to do a mass sign or must I do a gpg -u XXXXXXX --edit-key YYYYYY for each key?
3 - What other items am I not thinking of?

Thanks

Scott Seidl
seidls [at] schneider


jbruni at me

Sep 1, 2009, 9:41 PM

Post #2 of 4 (528 views)
Permalink
Re: Secret Key replacement [In reply to]
On Sep 1, 2009, at 10:51 AM, Seidl, Scott wrote:

> We use gnupg in an automated mode within the organization to encrypt/
> decrypt documents exchanged between companies. The Key Pair we have
> is expiring soon and I am replacing it with a new key pair. This
> new key would be provided to the other companies before the other
> expires.
>
> I have a couple questions about the existing public keys we have
> imported to our key ring.
> 1 – it’s my belief that I have to sign/trust each of the keys with
> the new secret key, is that correct?
> 2 – Is there any command to do a mass sign or must I do a gpg –u
> XXXXXXX --edit-key YYYYYYfor each key?
> 3 – What other items am I not thinking of?
>
> Thanks
>
> Scott Seidl
> seidls [at] schneider
>



One thing you could try is implement a corporate certification-only
key, used for certifying others' keys. You would have a second keypair
used for signing, encryption, and conducting regular business.

Your encryption keypair could expire as normal, but your certifying
key would not. Then you would set up your trust system to only trust
those keys signed by your corporate certification key.

Since your certification key doesn't expire (or at least not as
frequently), you would save yourself the trouble of having to re-
certify all your partners' keys.

-Joe


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


dshaw at jabberwocky

Sep 2, 2009, 8:18 AM

Post #3 of 4 (525 views)
Permalink
Re: Secret Key replacement [In reply to]
On Sep 1, 2009, at 1:51 PM, Seidl, Scott wrote:

> We use gnupg in an automated mode within the organization to encrypt/
> decrypt documents exchanged between companies. The Key Pair we have
> is expiring soon and I am replacing it with a new key pair. This
> new key would be provided to the other companies before the other
> expires.
>
> I have a couple questions about the existing public keys we have
> imported to our key ring.
> 1 – it’s my belief that I have to sign/trust each of the keys with
> the new secret key, is that correct?

It depends. Many uses of GPG in an automated mode use "--trust-model
always" or "--always-trust", since there is no need for a web of trust
in their setup. If you are using one of those options, then there is
no need to sign anything. If you are not using one of those options,
you probably need to make some signatures.

> 2 – Is there any command to do a mass sign or must I do a gpg –u
> XXXXXXX --edit-key YYYYYY for each key?

No mass sign ability, but you can do some shell magic like:

for i in (the keyids here)
do
gpg -u XXXXXX --lsign $i
done

This assumes you don't have a passphrase on the key (otherwise you'd
have to type it multiple times as the shell loop ran), but no
passphrases is also a common setup for automated use.

David


_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users


jbruni at me

Sep 2, 2009, 9:06 AM

Post #4 of 4 (535 views)
Permalink
Re: Secret Key replacement [In reply to]
On Wednesday, September 02, 2009, at 08:18AM, "David Shaw" <dshaw [at] jabberwocky> wrote:
>
>No mass sign ability, but you can do some shell magic like:
>
>for i in (the keyids here)
>do
> gpg -u XXXXXX --lsign $i
>done
>
>This assumes you don't have a passphrase on the key (otherwise you'd
>have to type it multiple times as the shell loop ran), but no
>passphrases is also a common setup for automated use.
>
>David


To expand on David's script, the portion found in '(the keyids here)' can be extracted using the following:

$ gpg --with-colons --list-keys | grep -e '^pub' | cut -d: -f5

-Joe






_______________________________________________
Gnupg-users mailing list
Gnupg-users [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-users

GnuPG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.