Last active
September 18, 2025 18:01
-
-
Save Integralist/f7e17034800b65b51eb7e9807720025a to your computer and use it in GitHub Desktop.
Revisions
-
Integralist revised this gist
Dec 26, 2017 . 1 changed file with 64 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,5 @@ ## Concept https://alexcabal.com/creating-the-perfect-gpg-keypair/ 1. Create a regular GPG keypair. By default GPG creates one signing subkey (your identity) and one encryption subkey (how you receive messages intended for you). @@ -10,4 +12,65 @@ https://alexcabal.com/creating-the-perfect-gpg-keypair/ Your laptop keypair is what you’ll use for day-to-day GPG usage. What’s the benefit to this setup? Since your master keypair isn’t stored on your traveling laptop, that means you can revoke the subkeys on your laptop should your laptop be stolen. Since you’re not revoking the original subkey you created in the master keypair—remember, we removed it from our laptop’s keypair—that means you don’t have to create a new keypair and go through the hassle of getting people to sign it again. You’d still have to revoke the stolen subkey, and the thief could still use the encryption subkey to decrypt any messages you’ve already received, but at least the damage done won’t be as catastrophic. ## Step by Step ### Generate Key - `gpg ‐‐gen-key` - Set expiry to zero (never expires) > Note: you could even add a photo to your GPG public key using `gpg ‐‐edit-key <email or id>` and at the interactive prompt use the command `gpg> addphoto` then specify full path `/home/integralist/profile.jpg`. ### Extra secure hashes (optional) - `gpg ‐‐edit-key <email or id>` - `gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed` ### Create 'signing' subkey - `gpg ‐‐edit-key <email or id>` - `gpg> addkey` - Select "RSA (sign only)" and 4096 for the keysize - Key does not expire - `gpg> save` ### Create 'revocation' certificate - `gpg --gen-revoke [email protected]` (store somewhere) - `gpg --import revocation.cert` (only do when you want to revoke) ### Export for Backups - `gpg --export-secret-keys --armor [email protected] > secret.gpg-key` - `gpg --export --armor [email protected] > public.gpg-key` ### Now remove master key pair We have to remove the original signing subkey from the master keypair in our keyring. 1. Export all of the subkeys from our new keypair to a file. We first create a RAM-based ramfs temporary folder to prevent our keys from being written to permanent storage. We use ramfs instead of tmpfs/ or /dev/shm/ because ramfs doesn’t write to swap. ``` mkdir /tmp/gpg sudo mount -t ramfs -o size=1M ramfs /tmp/gpg sudo chown $(logname):$(logname) /tmp/gpg gpg --export-secret-subkeys [email protected] > /tmp/gpg/subkeys ``` 2. Delete the original signing subkey from the keypair in our keyring: ``` gpg --delete-secret-key [email protected] ``` 3. Re-import the keys we exported and clean up our temporary file: ``` gpg --import /tmp/gpg/subkeys sudo umount /tmp/gpg rmdir /tmp/gpg ``` 4. `gpg --list-secret-keys`: see how the third line begins with `sec#`, not `sec`? The pound sign means the signing subkey is not in the keypair located in the keyring. -
Dec 26, 2017 . 1 changed file with 2 additions and 0 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,3 +1,5 @@ https://alexcabal.com/creating-the-perfect-gpg-keypair/ 1. Create a regular GPG keypair. By default GPG creates one signing subkey (your identity) and one encryption subkey (how you receive messages intended for you). 2. Use GPG to add an additional signing subkey to your keypair. This new subkey is linked to the first signing key. Now we have three subkeys. -
Dec 26, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,11 @@ 1. Create a regular GPG keypair. By default GPG creates one signing subkey (your identity) and one encryption subkey (how you receive messages intended for you). 2. Use GPG to add an additional signing subkey to your keypair. This new subkey is linked to the first signing key. Now we have three subkeys. 3. This keypair is your master keypair. Store it in a protected place like your house or a safe-deposit box. Your master keypair is the one whose loss would be truly catastrophic. 4. Copy your master keypair to your laptop. Then use GPG to remove the original signing subkey, leaving only the new signing subkey and the encryption subkey. This transforms your master keypair into your laptop keypair. Your laptop keypair is what you’ll use for day-to-day GPG usage. What’s the benefit to this setup? Since your master keypair isn’t stored on your traveling laptop, that means you can revoke the subkeys on your laptop should your laptop be stolen. Since you’re not revoking the original subkey you created in the master keypair—remember, we removed it from our laptop’s keypair—that means you don’t have to create a new keypair and go through the hassle of getting people to sign it again. You’d still have to revoke the stolen subkey, and the thief could still use the encryption subkey to decrypt any messages you’ve already received, but at least the damage done won’t be as catastrophic.