Generate GPG Master and Subkeys
I previously talked about moving to using subkeys and why you should do so. Here is a guide on how to generate a new master key and the relevant subkeys.
Create Master Key
gpg2 --full-gen-key
- Choose (4) RSA (sign only)
- Use 4096 bit
- Dont have it expire.
Create Subkey for Signing
gpg --edit-key $MASTER_KEY
At the prompt, enter:
addkey
- Choose RSA sign only key type
- Choose 4096
- Choose expirey date
- Enter the
save
command
Create Subkey For Encryption
gpg --edit-key $MASTER_KEY
At the prompt, enter:
addkey
- Choose: (6) RSA (encrypt only)
- Choose 4096
- Choose expirey date
- Enter the
save
command
Backup To Pen Drive
Copy the .gnupg folder to your USB pen drive for safe keeping.
cp -rf $HOME/.gnupg /path/to/pendrive/gnupg
Now lock the pen drive away some place safe and not connected to any computers.
Remove Master Key
Now it's time to remove the master key from our computer to keep it safe.
Because Ubuntu 18.04 ships with GPG 2.2.4 which is > 2.1, we can use the following easy method to remove the master key.
Use the following command to get the Keygrip of your master key:
gpg2 --with-keygrip --list-key $MASTER_KEY_IDENTIFIER
$MASTER_KEY_IDENTIFIER
as that is usually simplest.
From the output, you should see the keygrip. Use that to delete the master key file from your .gnupg area.
sudo rm $HOME/.gnupg/private-keys-v1.d/$KEYGRIP.key
Now you can check that you no longer have access to the master key by running:
gpg --list-secret-keys
You should see something like:
sec# rsa4096 2018-05-13 [SC]
2D6C12C2E2D69B63EB4368BD3DDB5179A207DE34
uid [ultimate] Programster (Programster's Master Key) <my.email@domain.com>
ssb rsa4096 2018-05-13 [S] [expires: 2019-05-13]
ssb rsa4096 2018-05-13 [E] [expires: 2019-05-13]
The fact that it says sec#
instead of sec
tells us that the key is not really there.
Conclusion
You now have only subkeys on your local computer for performing encryption and signing. In the even of these keys becoming compromised or expiring, dig out the USB key before using the master key to revoke them and generate new ones.
You can do this either by overwriting your .gnupg area, or using export GNUPGHOME=/path/to/pendrive/gnupg
before running the relevant gpg commands.
References
First published: 16th August 2018