Never put secret keys on a machine that reaches the internet. Store daily-use keys in a black box that does crypto for you, and store master key in disconnected offline storage.
In broad strokes, you will want to
- print out instructions
- initialize your smart card (often a Yubikey 4)
- on secure, disconnected machine,
- initialize gpg
- create master key
- create three subkeys
- save public and full seret keyring to disconnectable storage, and label it with warnings
- save subkeys to smart card
- save public keys and stub secret keyring to other storage
- shut down
- on normal machine
- initialize gpg
- import public keys and stub secret keyring
- practice signing, encrypting, and adjust smart-card preferencesto to suit
- on new secure, disconnected machine, without smart-card connected
- practice revoking keys
- practice generating new subkeys
- make notes on instructions
- shut down
- put instructions and master-key storage in a box and put it somewhere you trust to be safe
You'll want to know what and why in 5 years. It's worth nanomurdering a tree to have a physical note.
...
Download Tails and verify the image is signed by someone in your trust circle. (This takes an assertion of trustworthiness in the machine sitting in front of you. Bootstrapping trust is hard. Use a machine you have some confidence in, to download and verify.)
...
Boot Tails. Make a GPG config file that defines a better cert-digest-algo. ...