[GPG Security Best Practice] #gpg #security #encryption

GPG Security Best Practice.md

Concept

https://alexcabal.com/creating-the-perfect-gpg-keypair/

1. Create a regular GPG keypair. By default GPG creates one signing subkey (your identity) and one encryption subkey (how you receive messages intended for you).

2. Use GPG to add an additional signing subkey to your keypair. This new subkey is linked to the first signing key. Now we have three subkeys.

3. This keypair is your master keypair. Store it in a protected place like your house or a safe-deposit box. Your master keypair is the one whose loss would be truly catastrophic.

4. Copy your master keypair to your laptop. Then use GPG to remove the original signing subkey, leaving only the new signing subkey and the encryption subkey. This transforms your master keypair into your laptop keypair.

Your laptop keypair is what you’ll use for day-to-day GPG usage.

What’s the benefit to this setup? Since your master keypair isn’t stored on your traveling laptop, that means you can revoke the subkeys on your laptop should your laptop be stolen. Since you’re not revoking the original subkey you created in the master keypair—remember, we removed it from our laptop’s keypair—that means you don’t have to create a new keypair and go through the hassle of getting people to sign it again. You’d still have to revoke the stolen subkey, and the thief could still use the encryption subkey to decrypt any messages you’ve already received, but at least the damage done won’t be as catastrophic.

Step by Step

Generate Key

• gpg ‐‐gen-key
• Set expiry to zero (never expires)

Note: you could even add a photo to your GPG public key using gpg ‐‐edit-key <email or id> and at the interactive prompt use the command gpg> addphoto then specify full path /home/integralist/profile.jpg.

Extra secure hashes (optional)

• gpg ‐‐edit-key <email or id>
• gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

Create 'signing' subkey

• gpg ‐‐edit-key <email or id>
• gpg> addkey
• Select "RSA (sign only)" and 4096 for the keysize
• Key does not expire
• gpg> save

Create 'revocation' certificate

• gpg --gen-revoke my.email@domain.com (store somewhere)
• gpg --import revocation.cert (only do when you want to revoke)

Export for Backups

• gpg --export-secret-keys --armor email@domain.com > secret.gpg-key
• gpg --export --armor email@domain.com > public.gpg-key

Now remove master key pair

We have to remove the original signing subkey from the master keypair in our keyring.

1. Export all of the subkeys from our new keypair to a file. We first create a RAM-based ramfs temporary folder to prevent our keys from being written to permanent storage. We use ramfs instead of tmpfs/ or /dev/shm/ because ramfs doesn’t write to swap.

mkdir /tmp/gpg
sudo mount -t ramfs -o size=1M ramfs /tmp/gpg
sudo chown $(logname):$(logname) /tmp/gpg
gpg --export-secret-subkeys email@domain.com > /tmp/gpg/subkeys

2. Delete the original signing subkey from the keypair in our keyring:

gpg --delete-secret-key email@domain.com

3. Re-import the keys we exported and clean up our temporary file:

gpg --import /tmp/gpg/subkeys
sudo umount /tmp/gpg
rmdir /tmp/gpg

4. gpg --list-secret-keys: see how the third line begins with sec#, not sec? The pound sign means the signing subkey is not in the keypair located in the keyring.

Instead of the whole ramdisk circus, nowadays this should apply in the common case:

If you are using GnuPG 2.1 or later, all you have to do is to delete the file $HOME/.gnupg/private-keys-v1.d/KEYGRIP.key, where KEYGRIP is the "keygrip" of the primary key which can be found by running gpg2 --with-keygrip --list-key YOURPRIMARYKEYID.