Using master key to create subkeys, and using subkeys to do real work (signing, encryption,...).
- https://alexcabal.com/creating-the-perfect-gpg-keypair
- https://riseup.net/pt/security/message-security/openpgp/gpg-best-practices
- https://github.com/drduh/YubiKey-Guide
- https://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
- https://gist.github.com/ageis/14adc308087859e199912b4c79c4aaa4
- https://wiki.debian.org/Subkeys
- https://incenp.org/notes/2015/using-an-offline-gnupg-master-key.html
- https://alexcabal.com/creating-the-perfect-gpg-keypair/
# RSA, 4096, no expiration
# This will create a master key with a subkey for encryption
gpg --full-gen-key
gpg --edit-key $NEW_KEY
gpg> addkey
4
4096
0
gpg> key 2
gpg> trust
5
gpg> change-usage
E
A
gpg> save
gpg --edit-key $NEW_KEY
gpg> sign $OLD_KEY
gpg> save
`
## Signing old key with new key to make a link between keys
```console
gpg --edit-key $OLD_KEY
gpg> sign $NEW_KEY
gpg> save
gpg --edit-key $NEW_KEY
gpg> showpref
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> key 2
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> save
gpg --edit-key $OLD_KEY
gpg> showpref
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> key 2
setpref AES256 AES192 AES 3DES SHA512 SHA384 SHA256 SHA224 ZLIB BZIP2 ZIP Uncompressed
gpg> save
In ~/.gnupg/gpg.conf
default-key $NEW_SUBKEY
gpg --edit-key $NEW_KEY
gpg> uid
gpg> adduid
gpg> uid 2
gpg> trust
5
gpg> save
# Export public key
gpg --export --armor --output new-pubkey.gpg $NEW_KEY
# Export secret key
gpg --export-secret-keys --armor --output new-secretkey.gpg $NEW_KEY
# Export subkey
gpg --export-secret-subkeys --armor --output new-secret-subkeys.gpg $NEW_KEY
# Export subkey
Save it to secure place.
gpg --output new-revoke.asc --armor --gen-revoke $NEW_KEY
Save it to secure place.
gpg --send-keys $NEW_KEY $OLD_KEY
Removing the masterkey from laptops and keeping the masterkey in a trusted place.
gpg --delete-secret-keys $NEW_KEY
gpg --import subkeys.gpg
# Secret master key should show as sec# (with a #)
gpg -K $NEW_KEY
In order to sign mails with mutt/neomutt using the subkey, only the subkey should be present in the local store.
gpg --edit-key $NEW_KEY
# List all keys
gpg> key
# Select key to be removed
gpg> key XXXXXXX
gpg> delkey
gpg> save
In mutt/neomutt conf, the $NEW_KEY ID should be documented.
gpg --import $PUB_KEY
gpg --allow-secret-key --import $SECRET_KEY
gpg --receive-keys $KEY_ID
gpg --edit-key $KEY_ID
gpg> trust
gpg> sign
gpg --send-key $KEY_ID
- https://www.apache.org/dev/openpgp.html
- https://www.apache.org/dev/key-transition.html
- https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/
- https://oguya.ch/posts/2016-04-01-gpg-subkeys/
- http://www.connexer.com/articles/openpgp-subkeys
- https://github.com/pstadler/keybase-gpg-github
- https://wiki.debian.org/Keysigning
- https://wiki.ubuntu.com/KeySigningParty