Gpg isn't the easiest thing to set up "the right way". I'm not sure this is it. Follow at your own peril, but this is how I did it.
This text is based on (Creating the Perfect GPG Keypair)[https://alexcabal.com/creating-the-perfect-gpg-keypair/] by @acabal. Note my examples use full-form parameters for readability.
At the end of this seutp we want:
- A GPG keyset
- An exported, master, private key
- A revocation certificate for the master key
- A signing key for each device you want to encrypt on
- Deleted master key
Start off by running gpg --gen-key
. Always choose the best encryption you can and double check those asumptions are up-to-date. I recommend:
- Algo? RSA/RSA: From (superior)[http://security.stackexchange.com/questions/72581/new-pgp-key-rsa-rsa-or-dsa-elgamal] RSA is preferred to DSA/Elgamal by Linux distros. I trust them to be smarter than me.
- Size? Largest available! Go big or go home.
- Time valid? A year or so. This can be updated and in the event you Jimmy Hoffa your revocation cert at least time is on your side. It can be updated later.
I disagree with @acabal here and do not recommend a photo since it offers no real extra security and isn't supported in any tools I use.
PGP compatible clients are supposed to use the first supported preference for Cypher/Digest settings on your key. For some reason GPG doesn't necessarally include these from best to worst. In the following steps we re-arrange the order so they are by strength. This removes the IDEA cypher from any preferences.
setpref SHA512 SHA284 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
save```
## Creating a Revocation Certificate
If you forget your passphrase or lose your key then this is your last resort to remove it from the public keyservers. Sacrifice whatever in hopes that day never comes lest all 72 people using GPG trust you no more.
`gpg --output youremail@tempuri.org.gpg-revocation-certificate --gen-revoke youremail@tempuri.org`
## Exporting and Backups
Now it's time to export and backup your stuff. Start by exporting your secret keys and then putting them in a safe deposit box.
`gpg --export-secret-keys --armor --output youremail@tempuri.org.private.gpg youremail@tempuri.org`
Next, export your public key for good measure.
`gpg --export --armor --output youremail@tempuri.org youremail@tempuri.org`
Export your subkeys now. **TODO: Export each key individually**
`gpg --export-secret-subkeys --output youremail@tempuri.org.subkeys.gpg youremail@tempuri.org`
## Cleanup
Did you back everything up? Now's the time to really ask yourself that question...
Start by deleting your master key on the local machine from the gpg keyring.
`gpg --delete-secret-key bilbo@shire.org`
Re-import and then delete your subkeys file.
```gpg --import youremail@tempuri.org.subkeys.gpg
shred youremail@tempuri.org.subkeys.gpg```
I made several changes to your gist, but it looks like gists don't support pull requests. You can clone my copy and cherry-pick the changes if you want: https://gist.github.com/smkent/af715a1d53f72ddb054e46b6d2646c19