Using pass on multiple computers. Which pgp key to share

gpgpasswordpgp

I'm using pass password manager on multiple computers, linked via a git repository. Which pgp key do I need to share across computers, the public, private, or both, so that I can add /edit /delete passwords on all computers?

Best Answer

First of all, I'd consider "editing" a passphrase replacing the value for a site by another one, not regarding the old passphrase at all (which would include a read operation). pass stores the site's URL in the file name in plain text, thus does not require any cryptographic operations for finding/"lookup" of the encrypted content at all.

If you only want to add, edit and delete passwords, you only need the public key, to be specific for the add and edit operations which encrypt the passphrase using the public key; in fact deleting does not imply any cryptographic operations at all.

On the other hand, for reading any passphrase, you will need to provide the private key, which is required to decrypt the passphrase.

Related Solutions

Import Keys from Keyserver Using GPG in Debian – How to Guide

gpg --keyserver pgp.mit.edu --recv-keys DAD95197

is supposed to import keys matching DAD95197 from the MIT keyserver. However the MIT keyserver often has availability issues so it’s safer to configure another keyserver.

I generally use the SKS pools; here are their results when looking for “ashish”. To import the key from there, run

gpg --keyserver pool.sks-keyservers.net --recv-keys FBF1FC87DAD95197

(never use the short key ids, they can easily be spoofed).

This answer explains how to configure your GnuPG installation to always use the SKS pools.

Debian – How to generate an .asc file from pgp public key

Usually, a .asc file is an ASCII-armored representation of key material (or a signature). Your shirish-public-key.txt looks like it’s just that, so if you’re sure it contains the right information you could simply rename it, as you suggest. (I doubt it contains your public key though — that should start with -----BEGIN PGP PUBLIC KEY BLOCK-----.) If a file contains “binary” data (which I’m guessing is what you mean when you say it looks like an archive), it’s not an ASCII file and wouldn’t usually be named with a .asc extension.

To export your key in this format, from your keyring rather than an existing file (thus ensuring it contains the correct data), run

gpg --armor --export YOUR_FINGERPRINT > pubkey.asc

To make things easier, files are often named by their key id; in my case:

gpg --armor --export "79D9 C58C 50D6 B5AA 65D5  30C1 7597 78A9 A36B 494F" > 0x759778A9A36B494F.asc

There are various options you can use to tweak the exported data; for example, --export-options export-minimal will strip most signatures from the key, greatly reducing its size (but also its utility for people who care about the web of trust).

Best Answer

Related Solutions

Import Keys from Keyserver Using GPG in Debian – How to Guide

Debian – How to generate an .asc file from pgp public key

Related Question