Last active
April 2, 2020 13:23
-
-
Save mdaley/b7e07a5b55841ce0076941250a67495b to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # CREATING GPG KEYS | |
| gpg —full-generate-key | |
| - 1 (RSA and RSA) | |
| - 4096 (key size) | |
| - 0 (valid forever) | |
| - Personal details | |
| - Password (avoid awkward characters like ! or %) | |
| See what you have: | |
| gpg --list-secret-keys --keyid_format LONG | |
| /Users/mdaley/.gnupg/pubring.kbx | |
| -------------------------------- | |
| sec rsa4096/EE4A4134DE970647 2020-04-02 [SC] | |
| 97A8079D22430F9A6BFB6E0CEE4A4134DE970647 | |
| uid [ultimate] Matthew Daley <m6daley@gmail.com> | |
| ssb rsa4096/41F80307976B5A37 2020-04-02 [E] | |
| S = signing, C = certify, E = encryption | |
| ## EXPORT PUBLIC KEY | |
| e.g. for github | |
| gpg --armor --export EE4A4134DE970647 | |
| Creates a base64 encoded public key file: | |
| -----BEGIN PGP PUBLIC KEY BLOCK----- | |
| ... | |
| -----END PGP PUBLIC KEY BLOCK----- | |
| ## SUB KEY FOR SIGNING | |
| Separating out secret key so signing sub key created separate from the dangerous certification key. | |
| gpg —edit-key EE4A4134DE970647 | |
| - Add key | |
| - 4 (RSA sign only) | |
| - 4096 (key size) | |
| - 1y (or duration of your choice) | |
| - Password of private key | |
| - Save (important!) | |
| gpg --list-secret-keys --keyid-format LONG | |
| /Users/mdaley/.gnupg/pubring.kbx | |
| -------------------------------- | |
| sec rsa4096/EE4A4134DE970647 2020-04-02 [SC] | |
| 97A8079D22430F9A6BFB6E0CEE4A4134DE970647 | |
| uid [ultimate] Matthew Daley <m6daley@gmail.com> | |
| ssb rsa4096/41F80307976B5A37 2020-04-02 [E] | |
| ssb rsa4096/3A4A29CE6866AA43 2020-04-02 [S] [expires: 2021-04-02] | |
| Now there is an additional sub key with type S = sign | |
| ## BACKUP KEYS | |
| Full backup: | |
| gpg --export-secret-keys --armor EE4A4134DE970647 > m6daley-gpg.full | |
| Save this one somewhere secure. Don’t want to carry around the certification key!! Identity theft risk. | |
| gpg --export-secret-subkeys --armor EE4A4134DE970647 > m6daley-gpg.subkeys | |
| This is adequate for carrying around, using on devices. | |
| ## REPLACE GPG WITH SUBKEYS ONLY | |
| rm -rf ~/.gnupg | |
| mkdir ~/.gnupg | |
| chmod 700 ~/.gnupg | |
| gpg --import m6daley-gpg.subkeys | |
| gpg --list-secret-keys --keyid-format LONG | |
| gpg: WARNING: unsafe permissions on homedir '/Users/mdaley/.gnupg' | |
| /Users/mdaley/.gnupg/pubring.kbx | |
| -------------------------------- | |
| sec# rsa4096/EE4A4134DE970647 2020-04-02 [SC] | |
| 97A8079D22430F9A6BFB6E0CEE4A4134DE970647 | |
| uid [ unknown] Matthew Daley <m6daley@gmail.com> | |
| ssb rsa4096/41F80307976B5A37 2020-04-02 [E] | |
| ssb rsa4096/3A4A29CE6866AA43 2020-04-02 [S] [expires: 2021-04-02] | |
| Note sec# which means the main secret key is missing. | |
| The subways for encryption and signing are present though. | |
| ## PUBLISH PUBLIC KEY | |
| OSX: may need to add the file ~/.gnupg/dirmngr.conf containing: | |
| ipv6-disable | |
| To disable IPv6 which stops the sending of keys from working. Restart dirnmgr (whatever that is) by doing: | |
| Gpgconf —kill dirmngr | |
| Send the public key: | |
| gpg --keyserver hkp://keyserver.pgp.com --send-keys EE4A4134DE970647 | |
| Once distributed you can do this: | |
| http://pool.sks-keyservers.net:11371/pks/lookup?op=get&search=m6daley@gmail.com | |
| to see your public key |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment