Ok I read a lot of stuff and in one guide I found information that I don’t need the primary key on my system and it’s actually better to have it only on cold storage. With the infromation that you just provide I start to fill confused. Do I need my primary key present on the machine and referred in gpg or I need only to refer it
You can have the subkeys on your system without having the primary key usable, but it still needs to be listed, and you still refer to it. It’s there, just rendered (fundamertally) unusable. I no longer remember how exactly you go about it, I’m afraid.
Ok, thanks probably last questions
- how gpg figure it out which keys to use by default key-id (make linear search in all registered keys ? I’m just curious )
- How do you install your keys on your system. I notice that you use git-crypt but still not clear to me
- I don’t know
- Currently I have them handled manually. They’re not deployed through my configuration.
Git-crypt uses the gpg keys, so it would be a chicken and egg problem if the gpg keys were also deployed that way.
More importantly, git-crypt only protects things from public viewing via github and the like. On my local filesystem, the files are world-readable in decrypted form. So it’s only viable for low-importance secrets. I mostly use it to protect information that’s simply private, rather than “secret”, such as the list of rss feeds I follow. It’s not a big deal if that gets out, I just don’t particularly care to advertise that information to the world.
I also use it for my password hashes, but only because I know my passwords are pretty secure against brute forcing the hash, and I haven’t yet had any other reason to set up a proper secret management system like sops-nix or agenix.
1 Like