https://alexcabal.com/creating-the-perfect-gpg-keypair/
-
Create a regular GPG keypair. By default GPG creates one signing subkey (your identity) and one encryption subkey (how you receive messages intended for you).
-
Use GPG to add an additional signing subkey to your keypair. This new subkey is linked to the first signing key. Now we have three subkeys.
-
This keypair is your master keypair. Store it in a protected place like your house or a safe-deposit box. Your master keypair is the one whose loss would be truly catastrophic.
-
Copy your master keypair to your laptop. Then use GPG to remove the original signing subkey, leaving only the new signing subkey and the encryption subkey. This transforms your master keypair into your laptop keypair.
Your laptop keypair is what you’ll use for day-to-day GPG usage.
What’s the benefit to this setup? Since your master keypair isn’t stored on your traveling laptop, that means you can revoke the subkeys on your laptop should your laptop be stolen. Since you’re not revoking the original subkey you created in the master keypair—remember, we removed it from our laptop’s keypair—that means you don’t have to create a new keypair and go through the hassle of getting people to sign it again. You’d still have to revoke the stolen subkey, and the thief could still use the encryption subkey to decrypt any messages you’ve already received, but at least the damage done won’t be as catastrophic.
gpg ‐‐gen-key
- Set expiry to zero (never expires)
Note: you could even add a photo to your GPG public key using
gpg ‐‐edit-key <email or id>
and at the interactive prompt use the commandgpg> addphoto
then specify full path/home/integralist/profile.jpg
.
gpg ‐‐edit-key <email or id>
gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
gpg ‐‐edit-key <email or id>
gpg> addkey
- Select "RSA (sign only)" and 4096 for the keysize
- Key does not expire
gpg> save
gpg --gen-revoke my.email@domain.com
(store somewhere)gpg --import revocation.cert
(only do when you want to revoke)
gpg --export-secret-keys --armor email@domain.com > secret.gpg-key
gpg --export --armor email@domain.com > public.gpg-key
We have to remove the original signing subkey from the master keypair in our keyring.
- Export all of the subkeys from our new keypair to a file. We first create a RAM-based ramfs temporary folder to prevent our keys from being written to permanent storage. We use ramfs instead of tmpfs/ or /dev/shm/ because ramfs doesn’t write to swap.
mkdir /tmp/gpg
sudo mount -t ramfs -o size=1M ramfs /tmp/gpg
sudo chown $(logname):$(logname) /tmp/gpg
gpg --export-secret-subkeys email@domain.com > /tmp/gpg/subkeys
- Delete the original signing subkey from the keypair in our keyring:
gpg --delete-secret-key email@domain.com
- Re-import the keys we exported and clean up our temporary file:
gpg --import /tmp/gpg/subkeys
sudo umount /tmp/gpg
rmdir /tmp/gpg
gpg --list-secret-keys
: see how the third line begins withsec#
, notsec
? The pound sign means the signing subkey is not in the keypair located in the keyring.
Instead of the whole ramdisk circus, nowadays this should apply in the common case: