Reputation: 693
Synchronizing GnuPG private keys between multiple servers for horizontal scaling
I am using CentOS 7 and GnuPG 2.0 for one of my applications which is using encryption and decryption.
Now I am trying to scale my application horizontally, on two server named as server A and server B.
Let's say the application creates a private/public key pair on server A, how can I share the same set in server B or vice versa, so that application can access same set of keys from either servers?
Upvotes: 0
Views: 1115
Answers (1)
Reputation: 38672
Given you do not describe any method which does not store the locally, you're probably using a normal GnuPG home directory with the private key stored in the keychain. Just export this key (gpg --export-secret-keys <key-id>) and then import it (gpg --import) using the same mechanics for distributing other credentials (database, ...).
GnuPG keys do not change "on their own", usually are long-lasting and creation is often a manual process; so you don't need to actively monitor and synchronize them. Just roll out the new copy in the rare case they actually change. Again -- compare the process to database passwords or other secrets.
If keys are actually regenerated regularly, you will have to run the export-import-process whenever creating new keys (and be sure to consider timing issues with the synchronization process not being finished yet, but access is already spread among the servers).
A (much more complex and error-prone, if you don't know the technology in detail) alternative is to use a gpg-agent socket shared over the network, for example by using SSH tunnels or similar solutions. This allows all connected servers to use the private key, without having it stored locally. This might especially prove important if you cannot (may not) store the private key locally. Using gpg-agent socket sharing, the private key is never leaving the server running gpg-agent, which performs all private key operation (the major parts for handling encryption is usually formed by the symmetric encryption of the actual data, but make sure you don't run into scaling issues!).
Upvotes: 1
Related Questions
- How do you approach signing git commits on many machines?
- consistent hashing where you want a key mapped to multiple servers
- How do i use same ssh key across multiple machines?
- Do I need to generate one private key to each server, or can I spread my private key among them?
- How to deploy OpenPGP keys for multiple developers signing git commits?
- Sharing SSH Keys across multiple hosts
- How to synchronize my PGP key server with another server?
- Keeping Multiple Servers in a Cluster In-Sync?
- gsh - Global Shell: Where do you put the shared keys, password?
- Using the same PGP key on multiple servers?