0

I am using CentOS 7 and GnuPG 2.0 for one of my applications which is using encryption and decryption.

Now I am trying to scale my application horizontally, on two server named as server A and server B.

Let's say the application creates a private/public key pair on server A, how can I share the same set in server B or vice versa, so that application can access same set of keys from either servers?

Jens Erat
  • 37,523
  • 16
  • 80
  • 96
Shrijan Tiwari
  • 673
  • 6
  • 17

1 Answers1

1

Given you do not describe any method which does not store the locally, you're probably using a normal GnuPG home directory with the private key stored in the keychain. Just export this key (gpg --export-secret-keys <key-id>) and then import it (gpg --import) using the same mechanics for distributing other credentials (database, ...).

GnuPG keys do not change "on their own", usually are long-lasting and creation is often a manual process; so you don't need to actively monitor and synchronize them. Just roll out the new copy in the rare case they actually change. Again -- compare the process to database passwords or other secrets.

If keys are actually regenerated regularly, you will have to run the export-import-process whenever creating new keys (and be sure to consider timing issues with the synchronization process not being finished yet, but access is already spread among the servers).

A (much more complex and error-prone, if you don't know the technology in detail) alternative is to use a gpg-agent socket shared over the network, for example by using SSH tunnels or similar solutions. This allows all connected servers to use the private key, without having it stored locally. This might especially prove important if you cannot (may not) store the private key locally. Using gpg-agent socket sharing, the private key is never leaving the server running gpg-agent, which performs all private key operation (the major parts for handling encryption is usually formed by the symmetric encryption of the actual data, but make sure you don't run into scaling issues!).

Jens Erat
  • 37,523
  • 16
  • 80
  • 96
  • Thanks Jens, Import/Export of keys is a alternative solution i have in batch, But Currently I am looking for some automated solution, seems like gpg-agent can handle this. Could to share more on gpg-agent and any guide for implementation. – Shrijan Tiwari Nov 05 '17 at 19:25
  • Is this process is same as Export/Import Keys: (Assume I Have daily key Creation.) scp ~/.gnupg/pubring.gpg root@xx.xx.xx.xx:~/.gnupg/pubring.gpg scp ~/.gnupg/secring.gpg root@xx.xx.xx.xx:~/.gnupg/pubring.gpg scp ~/.gnupg/trustdb.gpg root@xx.xx.xx.xx:~/.gnupg/pubring.gpg – Shrijan Tiwari Nov 05 '17 at 19:33
  • This will work for sure -- but make sure to stop the application and `gpg-agent` while copying the files. – Jens Erat Nov 05 '17 at 19:47
  • 1
    Exporting `gpg-agent`'s socket is too involved to be in scope for a Q&A here. Look at `man gpg-agent` and the notes on the `extra-socket`, and consider a solution to make a socket remotely accessible (this depends on your local setup and software in use). Configuring GnuPG to use this socket is a rather easy task, but also make sure to properly start and keep running `gpg-agent` (for example, by writing your own systemd unit file). – Jens Erat Nov 05 '17 at 19:51