The Goldfish Chronicles

So how do people manage their OpenPGP (specifically GPG) keys? For the last year or more I’ve avoided releasing things at Apache due to a general confusion at just how to manage my keys. There’s nothing available at Apache to do so, so you have to come up with something locally. Putting it on another server seems insecure, but client-wise I’m never that stable. Currently I’m on a work laptop, so probably not something to get too attached to in the long-term.

My current solution is to use a usb key and symlink my .gnupg directory over to that as I’ve not seen anything in the gpg command help to let me spcify where the keys live. This worked fine for signing, but I just realised that it means that I have to have the usb key in to verify keys - ie: it needs to find my list of public keys and those are in the .gnupg directory too. This sucks. Any ideas on how to better manage this out there?

One downside of the usb key approach is that it gets automounted in a way that gpg doesn’t like. The files are world readable, and lock() isn’t supported. So lots of errors. This is on a mac, so in the long-term I’d have to look into understanding how to configure its automounting.

This entry was posted on Saturday, March 11th, 2006 at 11:29 pm and is filed under Tech. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.