While importing my keys to GnuPG on a new system, I considered the following:
Question
- Is it possible to synchronize the gpg and gpg2 (gpg2.1) keychains?
- Is it wise to do so?
Considering
I found this answer to "Are GnuPG 1 and GnuPG 2 compatible with each other?", it states the following:
An important change came with GnuPG 2.1, which combines the formerly
separated public and private keyrings (pubring.gpg vs. secring.gpg)
into the public keyring. This has been implemented in a manner keeping
things compatible, so you can still use GnuPG 1 when GnuPG 2.1
integrated the private keyring, but changes to the private keys will
not show up for the respective other implementation. From the
changelog:
[…] allows co-existence of older GnuPG versions with GnuPG 2.1. However, any change to the private keys using the new gpg will not
show up when using pre-2.1 versions of GnuPG and vice versa.
Synchronisation on file level is no option, also there seems to be no built in mechanism to sync the chains.
Am I safe to just export all pub and sec keys from gpg and import them via gpg2 (cronjob etc.) and vice versa or could this end me with unconsidered consequences?
Solution
I did not automate the key synchronisation but transfered all keys from my gpg keychain to the gpg2 keychains and symlinked gpg2 to gpg to make sure i always use gpg2. This seems to be a better solution than holding all keys in different keyrings.
gpg --export | gpg2 --import
gpg --export-secret-keys | gpg2 --import
sudo mv /usr/bin/gpg /usr/bin/gpg1
sudo ln -s /usr/bin/gpg2 /usr/bin/gpg
Best Answer
Synchronization through exporting and importing is safe, but be aware GnuPG cannot merge secret subkeys but starting with GnuPG 2.1 -- so if you change anything with the subkeys in GnuPG 2.1, you'd have to delete the whole key in GnuPG 1 before importing. The other way round should be safe, though. I'm not sure if you have to export/import ownertrust for this synchronization process.
To take advantage of GnuPG 2.1's new feature (for example ECC keys, ...), I'd rather try not to use GnuPG 1 though, and symlink
gpg2
togpg
instead. Generally they should be compatible, unless other applications interface GnuPG in a way they shouldn't. If you have any issues, going back would be easy (or simply keepgpg
asgpg1
to keep GnuPG 1, but change the default to GnuPG 2.x).