GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → goerz → gpg-serve-key

goerz / gpg-serve-key

Licence: MIT license
Serve a public/private GPG key over https

Programming Languages

python
139335 projects - #7 most used programming language

Labels

gpg

Projects that are alternatives of or similar to gpg-serve-key

Kapitan
Generic templated configuration management for Kubernetes, Terraform and other things
Stars: ✭ 1,383 (+4510%)
Mutual labels:  gpg
Bouncy Gpg
Make using Bouncy Castle with OpenPGP fun again!
Stars: ✭ 164 (+446.67%)
Mutual labels:  gpg
Yadm
Yet Another Dotfiles Manager
Stars: ✭ 2,982 (+9840%)
Mutual labels:  gpg
Zeyple
Postfix filter/hook to automatically encrypt outgoing emails with PGP/GPG
Stars: ✭ 122 (+306.67%)
Mutual labels:  gpg
Wsl2 Ssh Pageant
bridge between windows pageant and wsl2
Stars: ✭ 155 (+416.67%)
Mutual labels:  gpg
Authorizer
Authorizer is a Password Manager for Android. It emulates an HID keyboard over USB and enters your credentials on your target device. Additionally it supports OTP 🔑📴
Stars: ✭ 172 (+473.33%)
Mutual labels:  gpg
Mailserver
⚠️ UNMAINTAINED - Simple and full-featured mail server using Docker
Stars: ✭ 1,267 (+4123.33%)
Mutual labels:  gpg
pgpverify-maven-plugin
Verify Open PGP / GPG signatures plugin
Stars: ✭ 42 (+40%)
Mutual labels:  gpg
Pass Winmenu
An easy-to-use Windows interface for pass
Stars: ✭ 160 (+433.33%)
Mutual labels:  gpg
Lumail
A console-based mail-client with integrated Lua scripting support.
Stars: ✭ 187 (+523.33%)
Mutual labels:  gpg
Cli
share secrets within teams to avoid plain-text secrets from day one
Stars: ✭ 138 (+360%)
Mutual labels:  gpg
Git Remote S3
Push and pull git repos to/from an s3 bucket, encrypted using gpg.
Stars: ✭ 154 (+413.33%)
Mutual labels:  gpg
Magicpad
MagicPad is an encryption suite for beginners. It is designed to be run standalone via the browser or executable (Electron).
Stars: ✭ 174 (+480%)
Mutual labels:  gpg
Pwd.sh
GPG symmetric password manager
Stars: ✭ 1,468 (+4793.33%)
Mutual labels:  gpg
Git Secret
👥 A bash-tool to store your private data inside a git repository.
Stars: ✭ 2,706 (+8920%)
Mutual labels:  gpg
Wsend Gpg
Encrypted end to end file transfer
Stars: ✭ 97 (+223.33%)
Mutual labels:  gpg
Yubikey Touch Detector
A tool to detect when your YubiKey is waiting for a touch (to send notification or display a visual indicator on the screen)
Stars: ✭ 167 (+456.67%)
Mutual labels:  gpg
sbt-gpg
Simple and secure artifact signing for sbt.
Stars: ✭ 51 (+70%)
Mutual labels:  gpg
Keybase Gpg Github
Step-by-step guide on how to create a GPG key on keybase.io, adding it to a local GPG setup and using it with Git and GitHub.
Stars: ✭ 2,506 (+8253.33%)
Mutual labels:  gpg
Libmacgpg Free
A drop-in replacement for GPGTools libmacgpg that disables the paywall (free MacGPG)
Stars: ✭ 175 (+483.33%)
Mutual labels:  gpg
View All Similar Projects ➔

gpg-serve-key

This script allows to transfer a public/private GPG key from a server to another device where communication is only possible over https. Note that in general this should not be a first choice. For example, if you have ssh access, a better way to transfer a key would be

ssh user@remote gpg2 --export-secret-key KEYID | gpg2 --import

However, transfer over https is usually a better choice than e.g. emailing an exported secret-key file to yourself. The one particular use case motivating this script was the import of a secret key into the Pass iOS app.

While transfer over https in principle makes it accessible to anyone, the script takes strong measures to protect the key:

  • They key is directly read through a pipe from the gpg executable. The secret key is never written to disk

  • The server encrypts the communication with SSL (that is, using the https protocol) by default. While this creates the additional overhead of requiring valid SSL certificates for the public hostname under which the server will be reached, it is essential to guarantee that the key cannot be sniffed in transit. For use within a trusted network, the encryption can be disabled, although you are strongly discouraged from doing so.

  • The key is exposed at a url that contains a random token and using a random port number (by default), e.g. for the KEYID 57A6CAA6

    https://michaelgoerz.net:47409/v1f4Y7XixMQ/57A6CAA6-secret.key

  • Brute-forcing the token is prevented through rate limiting, that is, by an exponentially increasing delay after an invalid request

  • The server responds with HTTP headers that disable caching by the client.

  • The server writes log messages about every served request. This allows to monitor for unexpected access and to detect if the key has been compromised (as a last resort)

Through the --serve-file option, files in addition to the GPG key may be served (e.g. a private SSH key)

Requirements

  • Python >= 3.5
  • click package
  • A server that is accessible through a public hostname, with GPG installed and the private key for the KEYID that is to be exported in its keychain
  • SSL certificates for the public hostname. It is recommended to use Let's Encrypt. You may use an existing certificate for a webserver running on the host

Usage

Run the script directly as e.g.

./gpg-serve-key \
    --cert-file=/etc/letsencrypt/live/michaelgoerz.net/cert.pem \
    --key-file=/etc/letsencrypt/live/michaelgoerz.net/privkey.pem \
    --host=michaelgoerz.net 57A6CAA6

See ./gpg-serve-key --help for more details.

This will start temporary webserver at a random port and serve both the public and the private key at URLs such as

https://michaelgoerz.net:47409/v1f4Y7XixMQ/57A6CAA6-public.key
https://michaelgoerz.net:47409/v1f4Y7XixMQ/57A6CAA6-secret.key

After importing the keys from these URLs, stop the server by hitting ctrl+c.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].