Import multiple OpenPGP keys using the gpg command

1

Is there a way to noninteractively lookup and bulk import a list of gpg keys on a public keyserver?

I work in the IT department of a company and would like to use a command to import the public keys of all the email addresses associated with our domain without needing to select each key one at a time.

I've been able to lookup keys and import them one at a time using the gpg command:

gpg --keyserver pgp.mit.edu --search-keys '@domain.com'

Replacing 'domain.com' with our domain, obviously. Once the keyserver loads all the keys I am able to select multiple keys by typing in '1, 2, 3,...' for as many keys as I want. Kind of tedious, but not bad.

I haven't found a way to import them all, or if that is even possible.

I checked the gpg man page for any additional information but couldn't find any flags that would do what exactly what I wanted. I tried the above command in combination with --receive-keys flag, however, it seems that you need to specify a key id in order to receive them. Which, again, results in needing to import the keys one at a time.

The thought has crossed my mind that maybe gpg does not have a mechanism to bulk import for security precautions which would make sense to a degree. If that's the case I would totally understand that but have not found anything documenting that.

L. Spencer Heywood

Posted 2017-11-01T23:22:56.217

Reputation: 11

Answers

0

There is no way to search for multiple keys at the same time, but you should not fetch keys based on UIDs anyway! Key servers do not perform any kind of identity verification, just search the key servers for president@whitehouse.gov for an example. The "lack" in features is probably on purpose to prevent exactly this from happening.

Instead, use the key's fingerprints to access readily-verified by maintain a list of your departments keys' fingerprints, and use gpg --recv-keys to fetch them from a keyserver of your choice. Or simply import the keys from a file. If you're looking for an unattended solution, you're obviously having a proper configuration management/orchestration system in place, anyway.

At the same time, you should also consider putting some "certificate authority" system in place (for example a department key trusted on all the computers and used to issue certificates on the individual keys), so you can actually make use of the imported keys.

Jens Erat

Posted 2017-11-01T23:22:56.217

Reputation: 14 141

If this answered your question, consider selecting the checkmark on the left instead of posting "thank you" comments (also have a look at the [FAQ] for details). – Jens Erat – 2017-11-02T21:09:39.170

Asked: 2017-11-01T23:22:56.217

Viewed: 896 times

Active: 2017-11-02T09:53:28.157