docs: add flexible GPG key import from files, URLs and environment variables

chris2k20 · chris2k20 · commit 6e3a7379dda7 · 2025-10-10T12:53:04.000+02:00
diff --git a/docs/README.md b/docs/README.md
@@ -67,6 +67,7 @@ python3 imapbackup.py \
 4. **[Restore Guide](restore-guide.md)** - How to restore emails from backups
 5. **[S3 Configuration](s3-setup.md)** - Setting up S3 storage (MinIO, Hetzner, AWS)
 6. **[GPG Encryption Guide](gpg-setup.md)** - Encrypting your backups
+7. **[GPG Key Import Guide](gpg-key-import.md)** - Flexible GPG key import (files, URLs, environment variables)
 
 ## Common Use Cases
 
@@ -80,9 +81,30 @@ Use cron to schedule daily backups:
   -s imap.example.com -u user@example.com -p @/root/.imap_password -e
 ```
 
-### Backup and Upload to S3 with Encryption
+### Backup and Upload to S3 with Encryption (Easy Method)
 
 ```bash
+# Using flexible key import - no GPG keyring mount needed
+docker run --rm \
+  -v $(pwd)/backups:/data \
+  user2k20/imapbackup \
+  -s imap.example.com -u user@example.com -e \
+  --s3-upload \
+  --s3-endpoint=https://s3.eu-central-1.hetzner.cloud \
+  --s3-bucket=email-backups \
+  --s3-access-key=$S3_KEY \
+  --s3-secret-key=$S3_SECRET \
+  --gpg-encrypt \
+  --gpg-recipient=backup@example.com \
+  --gpg-import-key=https://example.com/keys/backup-public.asc
+```
+
+See [GPG Key Import Guide](gpg-key-import.md) for more examples including environment variables and file paths.
+
+### Backup and Upload to S3 with Encryption (Traditional Method)
+
+```bash
+# Using mounted GPG keyring
 docker run --rm \
   -v $(pwd)/backups:/data \
   -v $(pwd)/.gnupg:/root/.gnupg \
@@ -149,6 +171,10 @@ docker run --rm \
 
 - `--gpg-encrypt` - Enable GPG encryption/decryption
 - `--gpg-recipient=EMAIL` - GPG key ID or email
+- `--gpg-import-key=SOURCE` - Import GPG public key from:
+  - File path: `/path/to/key.asc`
+  - URL: `https://example.com/key.asc`
+  - Environment variable: `env:GPG_PUBLIC_KEY`
 
 ## Requirements
 
diff --git a/docs/backup-guide.md b/docs/backup-guide.md
@@ -184,7 +184,37 @@ docker run --rm \
 
 ## Encrypted Backups
 
-### Backup with GPG Encryption
+### Backup with GPG Encryption (Public Key Auto-Import)
+
+**Recommended**: Use the flexible key import feature - no GPG keyring mount needed for encryption:
+
+```bash
+docker run --rm \
+  -v $(pwd)/backups:/data \
+  user2k20/imapbackup \
+  -s imap.example.com \
+  -u user@example.com \
+  -e \
+  --s3-upload \
+  --s3-endpoint=https://s3.hetzner.cloud \
+  --s3-bucket=secure-backups \
+  --s3-access-key=$S3_KEY \
+  --s3-secret-key=$S3_SECRET \
+  --gpg-encrypt \
+  --gpg-recipient=backup@example.com \
+  --gpg-import-key=https://example.com/keys/backup-public.asc
+```
+
+The `--gpg-import-key` option supports:
+- **File paths**: `--gpg-import-key=/path/to/key.asc`
+- **URLs**: `--gpg-import-key=https://example.com/public-key.asc`
+- **Environment variables**: `--gpg-import-key=env:GPG_PUBLIC_KEY`
+
+For complete examples and workflows, see [GPG Key Import Guide](gpg-key-import.md).
+
+### Backup with GPG Encryption (Traditional Method)
+
+If you prefer mounting your GPG keyring:
 
 ```bash
 docker run --rm \
diff --git a/docs/docker-setup.md b/docs/docker-setup.md
@@ -49,13 +49,25 @@ Example:
 
 ### `/root/.gnupg` - GPG Keyring (Optional)
 
-Required only if using GPG encryption:
+**Method 1**: Use the new `--gpg-import-key` option (no mount needed for encryption):
+
+```bash
+# No GPG volume mount needed when importing public keys
+docker run --rm -v $(pwd)/backups:/data user2k20/imapbackup \
+  -s imap.example.com -u user@example.com -e \
+  --gpg-encrypt --gpg-recipient=backup@example.com \
+  --gpg-import-key=https://example.com/public-key.asc
+```
+
+See [GPG Key Import Guide](gpg-key-import.md) for details.
+
+**Method 2**: Mount GPG keyring (traditional, needed for restore/decryption):
 
 ```bash
 -v ~/.gnupg:/root/.gnupg:ro
 ```
 
-Note: Use `:ro` (read-only) for security if you only need decryption.
+Note: Use `:ro` (read-only) for security. This is required for **restore operations** which need the private key.
 
 ## Environment Variables
 
@@ -153,7 +165,28 @@ docker run --rm \
   --s3-secret-key=YOUR_SECRET_KEY
 ```
 
-### Backup with S3 and GPG Encryption
+### Backup with S3 and GPG Encryption (Flexible Key Import)
+
+**Recommended**: Use `--gpg-import-key` for easier setup:
+
+```bash
+docker run --rm \
+  -v $(pwd)/backups:/data \
+  user2k20/imapbackup \
+  -s imap.example.com \
+  -u user@example.com \
+  -e \
+  --s3-upload \
+  --s3-endpoint=https://play.min.io:9000 \
+  --s3-bucket=encrypted-backups \
+  --s3-access-key=$MINIO_ACCESS_KEY \
+  --s3-secret-key=$MINIO_SECRET_KEY \
+  --gpg-encrypt \
+  --gpg-recipient=backup@example.com \
+  --gpg-import-key=https://example.com/keys/backup-public.asc
+```
+
+**Traditional method** (mount GPG keyring):
 
 ```bash
 docker run --rm \
diff --git a/docs/gpg-setup.md b/docs/gpg-setup.md
@@ -2,6 +2,8 @@
 
 Complete guide for setting up GPG encryption for secure email backups.
 
+> **💡 New Feature**: For Docker users, check out the [GPG Key Import Guide](gpg-key-import.md) for a simpler way to use GPG encryption without mounting keyrings. You can now import public keys from files, URLs, or environment variables using `--gpg-import-key`.
+
 ## Table of Contents
 
 - [Why Use GPG Encryption](#why-use-gpg-encryption)
@@ -208,7 +210,64 @@ gpg --list-secret-keys
 
 ## Using GPG with Docker
 
-### Share GPG Keyring with Container
+### Method 1: Flexible Key Import (Recommended)
+
+**No keyring mount needed** - Import public keys from files, URLs, or environment variables:
+
+```bash
+# From URL (great for automation)
+docker run --rm \
+  -v $(pwd)/backups:/data \
+  user2k20/imapbackup \
+  -s imap.example.com \
+  -u user@example.com \
+  -e \
+  --s3-upload \
+  --s3-endpoint=https://s3.hetzner.cloud \
+  --s3-bucket=encrypted-backups \
+  --s3-access-key=$S3_KEY \
+  --s3-secret-key=$S3_SECRET \
+  --gpg-encrypt \
+  --gpg-recipient=backup@example.com \
+  --gpg-import-key=https://example.com/keys/backup-public.asc
+
+# From environment variable
+export GPG_PUBLIC_KEY=$(cat ~/keys/backup-public.asc)
+docker run --rm \
+  -v $(pwd)/backups:/data \
+  -e GPG_PUBLIC_KEY \
+  user2k20/imapbackup \
+  -s imap.example.com \
+  -u user@example.com \
+  -e \
+  --gpg-encrypt \
+  --gpg-recipient=backup@example.com \
+  --gpg-import-key=env:GPG_PUBLIC_KEY
+
+# From file in Docker image
+docker run --rm \
+  -v $(pwd)/backups:/data \
+  -v $(pwd)/backup-public.asc:/etc/gpg-key.asc:ro \
+  user2k20/imapbackup \
+  -s imap.example.com \
+  -u user@example.com \
+  -e \
+  --gpg-encrypt \
+  --gpg-recipient=backup@example.com \
+  --gpg-import-key=/etc/gpg-key.asc
+```
+
+**Benefits**:
+- No GPG keyring management
+- Public keys are safe to distribute
+- Perfect for containers and automation
+- Works with Kubernetes ConfigMaps
+
+See the [GPG Key Import Guide](gpg-key-import.md) for complete examples and workflows.
+
+### Method 2: Share GPG Keyring with Container (Traditional)
+
+Mount your GPG directory (useful when you have existing keyrings):
 
 ```bash
 # Mount GPG directory (read-only recommended)
@@ -228,6 +287,8 @@ docker run --rm \
   --gpg-recipient=backup@example.com
 ```
 
+**Note**: This method requires managing GPG permissions and is needed for **restore/decryption** (which requires the private key).
+
 ### Fix GPG Permissions
 
 ```bash
