在多个服务器上使用相同的 PGP 密钥?
我想这个问题属于 PGP 密钥的“最佳实践”。首先是非常简单的背景知识。我领导了一个开源项目,并收到了大量发布到“Apache Maven”存储库的请求。为此,我需要使用 PGP 密钥对每个版本进行签名。
所以我使用 PGP 并在本地计算机上生成了公钥/私钥。我导出并加密了“密钥”并将其传输到我的“构建服务器”。构建服务器拒绝导入密钥,称其无效。进一步的分析使我相信,由于我们的构建服务器在与我在本地计算机上使用的用户 ID 不同的用户 ID 下运行,因此它们是不兼容的。
我可能会想,既然 PGP 密钥对与我的名字绑定在一起,那么我作为一个人应该只拥有一个 PGP 密钥吗?但事实真的是这样吗?我应该为每台机器生成一个吗?只需使用导入/导出来备份它们?我可以很好地做到这一点,当我尝试在多台机器上复制 PGP 密钥时,这看起来真的很困难,而且好像我可能以错误的方式使用 PGP。也就是说,我想我为自己创建一个密钥并将其复制到构建服务器,也许还用它来加密我自己的电子邮件(如果我需要这样做)等。
I guess this question falls under “best practices” for PGP keys. First a very quick background. I lead an open source project, and have been getting numerous requests to publish to the “Apache Maven” repository. To do this, I need to sign each release with a PGP key.
So I used PGP and generated a public/private key on my local computer. I exported and encrypted the “secret key” and transferred it to my “build server”. The build server refuses to import the key, saying it is invalid. Further analysis lead me to believe that because our build server runs under a different user id than I used on my local computer, they are incompatible.
I would have thought, that since the PGP key pair is tied to my name, that I as a person should only own ONE PGP key? But is this really the case? Should I be generating one per machine? And just use the import/export to back them up? I can do this just fine, its when I try to replicate a PGP secret key over several machines it just seems really difficult and as though I am maybe using PGP in the wrong way. Namely, I am thinking I create one key for myself and copy it to the build server, maybe also use it to encrypt email from myself(should I need to do it), etc.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
拥有多个 PGP 密钥并不罕见。特别是当你扮演不同的角色时。
示例
在关键签约方,经常会发生参与者提供多个 PGP 密钥的情况。一种用于私人通信,一种用于在一个项目中签署版本,另一种用于在不同项目中签署,等等。
It is not unusual to have more than one PGP key. Especially if you fulfill different roles.
An example
At key signing parties, it often happens that participants present several PGP keys. One for private communication, one for signing releases at one project, another one for signing at a different project, etc.
如果我正确理解你的帖子,
听起来您的问题是您在尝试导入密钥之前对其进行了加密。当然,您应该对您的密钥保密,并将其保存在受严格权限保护的目录中(例如,“chmod 600 secring.gpg,如果您使用 GPG)。但是您不应该在导入密钥之前对其进行加密。如果如果您深入思考一下,就会清楚:PGP 正在尝试导入密钥对的秘密部分,以便它可以(除其他外)解密使用该密钥对的公共部分加密的消息。使用(或任何)公钥加密密钥(或任何与此相关的文件),那么 PGP 程序不知道如何解密您尝试导入的密钥。从根本上来说,该密钥不是密钥。 ;它是加密的文件/消息。事实上,只有当您需要将其安全地存储在某个地方(例如作为紧急备份)时,才应该对密钥进行加密。您保存在某处的 USB 密钥
此外,有可能拥有多个密钥或 ID,或两者兼而有之,用于出于各种(可能不相关)目的加密文件和消息。我希望这会有所帮助......迟来的。
If I understand your posting correctly,
it sounds like your problem is that you encrypted your secret key before trying to import it. You should of course keep your secret key secret, and keep it in a directory protected with strict permissions (e.g., "chmod 600 secring.gpg if you're using GPG). But you should not encrypt the key before you import it. If you think deeply about this for a moment, it will become clear: PGP is trying to import the secret half of a key pair so that it can (among other things) decrypt messages encrypted using the public half of that key pair. But if you have encrypted the secret key (or any file for that matter) using the (or any) public key, then the PGP program does not know how to decrypt that secret key you're trying to import. Fundamentally, the key is not a key; it is an encrypted file/message. The key should not be encrypted before importing. In fact the only situation when a secret key should be encrypted is if you need to store it somewhere (else) securely, like as an emergency backup on a USB fob you keep stashed somewhere.
Also, it is possible, and not really unusual, to have more than one secret key or ID, or both, for encrypting files and messages for various (possibly unrelated) purposes. I hope this helps...belatedly.