Programster's Blog

Tutorials focusing on Linux, programming, and open-source

Generate GPG Master and Subkeys


I previously talked about moving to using subkeys and why you should do so. Here is a guide on how to generate a new master key and the relevant subkeys.

Create Master Key

gpg2 --full-gen-key
  • Choose (4) RSA (sign only)
  • Use 4096 bit
  • Dont have it expire.

Create Subkey for Signing

gpg --edit-key $MASTER_KEY

At the prompt, enter:

  • Choose RSA sign only key type
  • Choose 4096
  • Choose expirey date
  • Enter the save command

Create Subkey For Encryption

gpg --edit-key $MASTER_KEY

At the prompt, enter:

  • Choose: (6) RSA (encrypt only)
  • Choose 4096
  • Choose expirey date
  • Enter the save command

Backup To Pen Drive

Copy the .gnupg folder to your USB pen drive for safe keeping.

cp -rf $HOME/.gnupg /path/to/pendrive/gnupg

Now lock the pen drive away some place safe and not connected to any computers.

Remove Master Key

Now it's time to remove the master key from our computer to keep it safe.

Because Ubuntu 18.04 ships with GPG 2.2.4 which is > 2.1, we can use the following easy method to remove the master key.

Use the following command to get the Keygrip of your master key:

gpg2 --with-keygrip --list-key $MASTER_KEY_IDENTIFIER

I usually use the email address as the $MASTER_KEY_IDENTIFIER as that is usually simplest.

From the output, you should see the keygrip. Use that to delete the master key file from your .gnupg area.

sudo rm $HOME/.gnupg/private-keys-v1.d/$KEYGRIP.key

Now you can check that you no longer have access to the master key by running:

gpg --list-secret-keys

You should see something like:

sec#  rsa4096 2018-05-13 [SC]
uid           [ultimate] Programster (Programster's Master Key) <>
ssb   rsa4096 2018-05-13 [S] [expires: 2019-05-13]
ssb   rsa4096 2018-05-13 [E] [expires: 2019-05-13]

The fact that it says sec# instead of sec tells us that the key is not really there.


You now have only subkeys on your local computer for performing encryption and signing. In the even of these keys becoming compromised or expiring, dig out the USB key before using the master key to revoke them and generate new ones. You can do this either by overwriting your .gnupg area, or using export GNUPGHOME=/path/to/pendrive/gnupg before running the relevant gpg commands.