Synchronize GnuPG 1.4 and GnuPG 2.1 keychains

gnupggpg-agentopenpgppgpsync

While importing my keys to GnuPG on a new system, I considered the following:

Question

  1. Is it possible to synchronize the gpg and gpg2 (gpg2.1) keychains?
  2. Is it wise to do so?

Considering

I found this answer to "Are GnuPG 1 and GnuPG 2 compatible with each other?", it states the following:

An important change came with GnuPG 2.1, which combines the formerly
separated public and private keyrings (pubring.gpg vs. secring.gpg)
into the public keyring. This has been implemented in a manner keeping
things compatible, so you can still use GnuPG 1 when GnuPG 2.1
integrated the private keyring, but changes to the private keys will
not show up for the respective other implementation. From the
changelog:
[…] allows co-existence of older GnuPG versions with GnuPG 2.1. However, any change to the private keys using the new gpg will not
show up when using pre-2.1 versions of GnuPG and vice versa.

Synchronisation on file level is no option, also there seems to be no built in mechanism to sync the chains.

Am I safe to just export all pub and sec keys from gpg and import them via gpg2 (cronjob etc.) and vice versa or could this end me with unconsidered consequences?

Solution

I did not automate the key synchronisation but transfered all keys from my gpg keychain to the gpg2 keychains and symlinked gpg2 to gpg to make sure i always use gpg2. This seems to be a better solution than holding all keys in different keyrings.

gpg --export | gpg2 --import
gpg --export-secret-keys | gpg2 --import
sudo mv /usr/bin/gpg /usr/bin/gpg1
sudo ln -s /usr/bin/gpg2 /usr/bin/gpg

Best Answer

  • Synchronization through exporting and importing is safe, but be aware GnuPG cannot merge secret subkeys but starting with GnuPG 2.1 -- so if you change anything with the subkeys in GnuPG 2.1, you'd have to delete the whole key in GnuPG 1 before importing. The other way round should be safe, though. I'm not sure if you have to export/import ownertrust for this synchronization process.

    To take advantage of GnuPG 2.1's new feature (for example ECC keys, ...), I'd rather try not to use GnuPG 1 though, and symlink gpg2 to gpg instead. Generally they should be compatible, unless other applications interface GnuPG in a way they shouldn't. If you have any issues, going back would be easy (or simply keep gpg as gpg1 to keep GnuPG 1, but change the default to GnuPG 2.x).