Image of the glider from the Game of Life by John Conway
Skip to content

My GnuPG Locality Solution

Yesterday, I provided a problem about how to use my GnuPG key regardless of my location. In reality, there are only 3 computers that I sit at: Hercules, my laptop, and my main companion; Zeus, my "other" desktop, that is actually far more powerful than Hercules, but my wife is always on it with Windows XP; and Poseidon, my workstation at work. So, really, the security that I need to worry about is minimal (2 at home, and 1 at work), and I can be fairly pragmatic about it.

I have to say that some really interesting solutions came in regards to my problem. Encrypted loopback filesystems, smartcards, splitting the key, and others. I don't think my solution is superior. Actually, I really like splitting the key that Daniel Silverstone came up with. Trully genius. However, my solution was the best that I could come up with, and probably fairly obvious. So, at any rate...

The solution I came up with allows me to keep my GPG key on one computer at home, with the other two taking advantage of that PC. Here's what I did to solve the problem:

  1. Recognize that I have an SSH port open for remote access.
  2. Secured the SSH port a bit by completely disabling username/password authentication, root logins and, of course, obscured it by moving the default port off of 22.
  3. Generated SSH keys, using a strong cryptographic passphrase, following this tutorial.
  4. Appended the public keys to ~/.ssh/authorized_keys on the remote server.
  5. Installed, and configured, following this tutorial, SSHFS.
  6. Restarted the remote SSH daemon.
  7. Wrote an alias to mount the remote SSFS .gnupg directory to my local .gnupg directory (using compression).

With this, I use the Gnome SSH agent, that is already running, to add my local public SSH key to the agent. Then, with that added, after entering my passphrase, I run the alias I created earlier to mount the SSHFS to my directory. Now, I can use KGpg, Enigmail, and pretty much anything GPG-related on my local machine using my GnuPG key as if it were running locally, and yet take advantage of the remote SSH key. The only thing is, as it is running through SSH, it tends to be a bit slow for encrypting, decrypting and signing. However, I only need to keep one copy of my GPG key, and I can keep it where I know that it is secure. So the decrease in speed performance is worth the saftey and integrity of the key.  Also, I only need to run the process of adding my key to the agent and mounting SSHFS once, which is nice.

DISCLAIMER: Because I mounted SSHFS using public key authentication, the mount exists as long as I stay logged into my box, or if I unmount it using fusermount -u. This could pose a threat, if anyone has access to my workstation. As such, when leaving the computer, I need to remember to lock it every time, or logout. Not keeping in this practice of locking my workstation or logging out, could compromise the key. However, when logged out, the agent dies, thus losing the key in the agent, and unmounting the SSHFS, which means my private GPG key is no longer on the computer. So, either I need to lock the workstation, or logout every time I leave the PC. Fortunately, this is in standard practice with current behavior, so it won't be a problem.

{ 5 } Comments

  1. Fabian Rodriguez | February 20, 2007 at 4:40 pm | Permalink

    This supposes you have a Linux workstation / environment, I must have misunderstood your first message.

    The only slight problem I see with this method is that you need to have your computer to be able to sign/encrypt/verify anything, and most importantly, if you loose that computer there is absolutely no way (that I know of) to login again and get access to your keys, as you're using SSH key-based auth.

    I think for maximum portability and safety a bootable USB driver with a loopback encrypted FS is still safer (if lost, etc). A full binary-image backup of a 2GB key could be kept at your friends, etc.

  2. imbrandon | February 20, 2007 at 6:46 pm | Permalink

    Also rember in this situation that the computers you are using this on need to have ATLEASTE encrypted swap partitions/files because when you type your gpg-passphrase in to use your key if that memory is swapped out it is stored plaintext in the swaparea.

    Just something to think about.


  3. Aaron | February 20, 2007 at 10:18 pm | Permalink


    Yes. I do need my computer accessible for this to work. As you said, if it's lost or just powered off, then it is no good to me. However, if it's turned off, chances are that I have it with me, and I'll have access to it anyway.

    As far as the encrypted loopback, that is a solid solution that I need to look into. It is, however, just making the problem redundant.

  4. Aaron | February 20, 2007 at 10:19 pm | Permalink


    Hmmm. Good point. I overlooked that aspect. I'll need to see what I can do to lock the swap down.

  5. gimi | October 5, 2009 at 6:50 am | Permalink

    On recent boxes "swapoff" wouldn't hurt. 🙂

    Nice Discussion.

Post a Comment

Your email is never published nor shared.