Skip to content

Instantly share code, notes, and snippets.

@gwarf

gwarf/GPG_Kungfu.md

Last active Jan 21, 2020
Embed
What would you like to do?
GPG Kunk-fu

Goal: replacing a 13 years old (DSA1024) GPG key with a new longer key (RSA4096)

Using master key to create subkeys, and using subkeys to do real work (signing, encryption,...).

Using GPG subkeys

How

Why

Creating a new key with a long key size

# RSA, 4096, no expiration
# This will create a master key with a subkey for encryption
gpg --full-gen-key

Creating, trusting and changing usage of a new subkey

gpg --edit-key $NEW_KEY
gpg> addkey
4
4096
0
gpg> key 2
gpg> trust
5
gpg> change-usage
E
A
gpg> save

Signing new key with old

gpg --edit-key $NEW_KEY
gpg> sign $OLD_KEY
gpg> save
`

## Signing old key with new key to make a link between keys

```console
gpg --edit-key $OLD_KEY
gpg> sign $NEW_KEY
gpg> save

Setting digest preferences for keys and subkeys to have SHA1 as last resort

gpg --edit-key $NEW_KEY
gpg> showpref
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> key 2
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> save

gpg --edit-key $OLD_KEY
gpg> showpref
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> key 2
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> save

Configuring default key

In ~/.gnupg/gpg.conf

default-key $NEW_SUBKEY

Adding required identities to new key

gpg --edit-key $NEW_KEY
gpg> uid
gpg> adduid
gpg> uid 2
gpg> trust
5
gpg> save

Backing up new key

# Export public key
gpg --export --armor --output new-pubkey.gpg $NEW_KEY
# Export secret key
gpg --export-secret-keys --armor --output new-secretkey.gpg $NEW_KEY
# Export subkey
gpg --export-secret-subkeys --armor --output new-secret-subkeys.gpg $NEW_KEY
# Export subkey

Save it to secure place.

Generating revocation certificate for new key

gpg --output new-revoke.asc --armor --gen-revoke $NEW_KEY

Save it to secure place.

Publishing all keys

gpg --send-keys $NEW_KEY $OLD_KEY

Additional steps

Removing the masterkey from laptops and keeping the masterkey in a trusted place.

 gpg --delete-secret-keys $NEW_KEY
 gpg --import subkeys.gpg
 # Secret master key should show as sec# (with a #)
 gpg -K $NEW_KEY

Importing keys

gpg --import $PUB_KEY
gpg --allow-secret-key --import $SECRET_KEY

Signing a keys

gpg --receive-keys $KEY_ID
gpg --edit-key $KEY_ID
gpg> trust
gpg> sign
gpg --send-key $KEY_ID

Links

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.