PGP Keyserver — Cache

DZone 's Guide to

PGP Keyserver — Cache

To install the SKS server under Debian 10, please use the following command. apt-get install sks.

· DevOps Zone ·
Free Resource

Some installations on Linux like Docker, require a keyserver to verify the binaries. This behavior is advantageous on the one hand, but on the other hand, it is a hindrance when you are on a network without internet access. The easiest way to carry out this process is to use an internal PGP key server as a cache. 

Why do you need a PGP/ GPG Key-server cache? If you want to have some more background pieces of information about this, check out my youtube (4k, forest) video called "Why do you need a PGP KeyServer Cache for DevSecOps" 

The deployment does not require many resources. A complete dump from the GPG key server database is just 13GB. (Status 2020-07-31). There is a list of URLs that offer dumps. Most of them are updated at least once a week. https://bitbucket.org/skskeyserver/sks-keyserver/wiki/KeydumpSources.

This installation described here is only suitable as an internal cache and should not be made available externally. There is now a new project called Hagrid. At this point, I don't want to go into the shortcomings of classic KeyServers. For further information, it is best to consult the reports on the Internet. To install the SKS server under Debian 10, please use the following command. apt-get install sks Here you should already use the Artifactory Debian repository you set up previously.

SKS Initial Facility

Commissioning requires a one-time initialization process. It is intended to start with the most up-to-date DUMP of the keyserver database. Otherwise, you only have an empty database with which you can start very little. To copy the dump to the server, you can install an OpenSSH server. Simply run apt-get install OpenSSH-server. If you want to work briefly as the user root, you have to set the parameter PermitRootLogin to the value yes in the file /etc/ssh/sshd_config/ and restart the service.

The complete keyserver dump must be copied to the directory /var/lib/sks/dump on the server. With the commands listed below, the service is initially prepared and the dump imported.



apt-get install sks
apt-get install net-tools
service sks stop
/usr/sbin/sks build
systemctl enable sks.service
echo 'initstart=yes' >/etc/default/sks
/usr/sbin/sks merge /var/lib/sks/dump/*.pgp -n 10 -cache 100
/usr/sbin/sks cleandb;
/usr/sbin/sks pbuild -cache 20 -ptree_cache 70;

Start and Test the Installation

As soon as the initial import is complete, the service can be started and finally tested.

systemctl start sks 

systemctl status sks

To do this, you have to ask for a key once, which should be included in the official database. I use a key that I also have to use when installing Docker. 7EA0A9C3F273FCD8


apt-key adv --keyserver hkp://<IP-SKS-Server>:11371 --recv-keys 7EA0A9C3F273FCD8

If you want to use port 80 in addition to the official port, you have to adjust the configuration file named sksconf. The file is located under /etc/sks/ and the parameter to be changed is called use_port_80. Please do not forget to restart the service after the configuration file has been changed.

Happy Coding

devops, devsecops, pgp encryption, sks, skstorereviewcontroller

Published at DZone with permission of Sven Ruppert . See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}