I guess this question falls under “best practices” for PGP keys. First a very quick background. I lead an open source project, and have been getting numerous requests to publish to the “Apache Maven” repository. To do this, I need to sign each release with a PGP key.
So I used PGP and generated a public/private key on my local computer. I exported and encrypted the “secret key” and transferred it to my “build server”. The build server refuses to import the key, saying it is invalid. Further analysis lead me to believe that because our build server runs under a different user id than I used on my local computer, they are incompatible.
I would have thought, that since the PGP key pair is tied to my name, that I as a person should only own ONE PGP key? But is this really the case? Should I be generating one per machine? And just use the import/export to back them up? I can do this just fine, its when I try to replicate a PGP secret key over several machines it开发者_运维知识库 just seems really difficult and as though I am maybe using PGP in the wrong way. Namely, I am thinking I create one key for myself and copy it to the build server, maybe also use it to encrypt email from myself(should I need to do it), etc.
It is not unusual to have more than one PGP key. Especially if you fulfill different roles.
An example
At key signing parties, it often happens that participants present several PGP keys. One for private communication, one for signing releases at one project, another one for signing at a different project, etc.
If I understand your posting correctly,
I exported and encrypted the “secret key” and transferred it to my “build server”. The build server refuses to import the key, saying it is invalid.
it sounds like your problem is that you encrypted your secret key before trying to import it. You should of course keep your secret key secret, and keep it in a directory protected with strict permissions (e.g., "chmod 600 secring.gpg if you're using GPG). But you should not encrypt the key before you import it. If you think deeply about this for a moment, it will become clear: PGP is trying to import the secret half of a key pair so that it can (among other things) decrypt messages encrypted using the public half of that key pair. But if you have encrypted the secret key (or any file for that matter) using the (or any) public key, then the PGP program does not know how to decrypt that secret key you're trying to import. Fundamentally, the key is not a key; it is an encrypted file/message. The key should not be encrypted before importing. In fact the only situation when a secret key should be encrypted is if you need to store it somewhere (else) securely, like as an emergency backup on a USB fob you keep stashed somewhere.
Also, it is possible, and not really unusual, to have more than one secret key or ID, or both, for encrypting files and messages for various (possibly unrelated) purposes. I hope this helps...belatedly.
精彩评论