Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
GPG Kunk-fu

Goal: replacing a 13 years old (DSA1024) GPG key with a new longer key (RSA4096)

Using master key to create subkeys, and using subkeys to do real work (signing, encryption,...).

Using GPG subkeys

How

Why

Creating a new key with a long key size

# RSA, 4096, no expiration
# This will create a master key with a subkey for encryption
gpg --full-gen-key

Creating, trusting and changing usage of a new subkey

gpg --edit-key $NEW_KEY
gpg> addkey
4
4096
0
gpg> key 2
gpg> trust
5
gpg> change-usage
E
A
gpg> save

Signing new key with old

gpg --edit-key $NEW_KEY
gpg> sign $OLD_KEY
gpg> save
`

## Signing old key with new key to make a link between keys

```console
gpg --edit-key $OLD_KEY
gpg> sign $NEW_KEY
gpg> save

Setting digest preferences for keys and subkeys to have SHA1 as last resort

gpg --edit-key $NEW_KEY
gpg> showpref
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> key 2
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> save

gpg --edit-key $OLD_KEY
gpg> showpref
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> key 2
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> save

Configuring default key

In ~/.gnupg/gpg.conf

default-key $NEW_SUBKEY

Adding required identities to new key

gpg --edit-key $NEW_KEY
gpg> uid
gpg> adduid
gpg> uid 2
gpg> trust
5
gpg> save

Backing up new key

# Export public key
gpg --export --armor --output new-pubkey.gpg $NEW_KEY
# Export secret key
gpg --export-secret-keys --armor --output new-secretkey.gpg $NEW_KEY
# Export subkey
gpg --export-secret-subkeys --armor --output new-secret-subkeys.gpg $NEW_KEY
# Export subkey

Save it to secure place.

Generating revocation certificate for new key

gpg --output new-revoke.asc --armor --gen-revoke $NEW_KEY

Save it to secure place.

Publishing all keys

gpg --send-keys $NEW_KEY $OLD_KEY

Additional steps

Removing the masterkey from laptops and keeping the masterkey in a trusted place.

 gpg --delete-secret-keys $NEW_KEY
 gpg --import subkeys.gpg
 # Secret master key should show as sec# (with a #)
 gpg -K $NEW_KEY

In order to sign mails with mutt/neomutt using the subkey, only the subkey should be present in the local store.

gpg --edit-key $NEW_KEY
# List all keys
gpg> key
# Select key to be removed
gpg> key XXXXXXX
gpg> delkey
gpg> save

In mutt/neomutt conf, the $NEW_KEY ID should be documented.

Importing keys

gpg --import $PUB_KEY
gpg --allow-secret-key --import $SECRET_KEY

Signing a keys

gpg --receive-keys $KEY_ID
gpg --edit-key $KEY_ID
gpg> trust
gpg> sign
gpg --send-key $KEY_ID

Links

Organising a signing party

This notes are meant to help organising a GPG key signing party.

Overall procedure

  • Public keys are sent to the organiser by their owner
  • The organiser sends the full list of keys to all attendees
  • As different GPG software may use by default a different key server, a list of servers has been agreed to be used to retrieve and push keys (e.g. after signing them) ** https://keys.openpgp.org/ and https://pgp.surfnet.nl/
  • All participants print their key details (name, email address, fingerprints, etc) onto small papers (can have quite a few in a single A4 page) using https://keysheet.net/ (or similar)
  • During the key signing party, the only thing that people do is exchange these paper slips, verifying every one's passports or ID card as they do.
  • After the party, people sign the key (as they see fit, it's not mandatory for everyone to sign everyone) and upload the signed key on the pre-determined servers. See some notes on doing this after this procedure.

Using gpg from the CLI

Export local pub key to a file

gpg --export --armor --output pubkey.gpg <XXXXX>

Downloading and, trusting and signing a remote key and uploading it with the signature ====

  • Trust: Usually 4 "I trust fully", obviously depending on the level of trust and verification that was done.
  • Only the master key can be used to sign someone else's key, sub keys cannot be used for this.
  • While the key is downloaded from one of the servers, the signed key is sent to all the agreed key servers.
gpg --keyserver keys.openpgp.org --receive-keys <YYYYY>
gpg --edit-key <YYYYY>
gpg> trust
gpg> sign
gpg> save
gpg --keyserver keys.openpgp.org --send-keys <YYYYY>
gpg --keyserver pgp.surfnet.nl --send-keys <YYYYY>

Refreshing local keys from key servers

gpg --keyserver keys.openpgp.org --receive-keys <XXXXX>
gpg --keyserver pgp.surfnet.nl --receive-keys <XXXXX>

It's also possible to refresh all keys at once:

gpg --keyserver keys.openpgp.org --refresh-keys 
gpg --keyserver pgp.surfnet.nl --refresh-keys

Links

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment