GPG#

As many tutorials point out it is better to keep the master key stored in an offline computer and to export subkeys when needed.

In this tutorial we use

  • a@b.com as the email that identifies the key (key id)

  • EF987654 as the fingerprint of the public key

  • 0123ABCD as the fingerprint of the public signing subkey

Generate a key pair#

We will generate a gpg keypair on an air gapped computer for added security. We will also use one or more USB sticks as backups. The computer hard drive and USB sticks must be encrypted for added security. You can then use a third USB stick to transfer public key files. This last one does not need to be encrypted.

See also

  • GnuPG - ArchWiki [4]

  1. get an old laptop you do not use anymore

  2. install Debian stable on it using LUKS encryption

  3. after the installation is finished disconnect the computer from the network

  4. generate a key pair

    gpg --full-gen-key
    

    You may use 4096 as key size and a functional email as identity

Export#

Exporting a keypair means that you can backup you private keys and publish your public keys. If you want your public key to be known easily you can publish it on a keyserver. Use an unencrypted USB stick to transfer public key files on other computers

See also

  • disaster recovery - How to backup GPG? - Server Fault [5]

  1. export everyting on the home directory

    cd ~
    gpg --export --armor a@b.com > a@b.com.pub.asc
    gpg --export-secret-keys --armor a@b.com > a@b.com.priv.asc
    gpg --export-secret-subkeys --armor a@b.com > a@b.com.sub_priv.asc
    gpg --export-ownertrust > ownertrust.txt
    
  2. if you need to export a secret subkey only, for example for GIT signing, you can use this command

    gpg --export-secret-subkeys --armor 0x0123ABCD! > 0x0123ABCD.secret_subkey.asc
    

    Important

    Preserve the ! at the end of the command.

    To export the public subkey use this command

    gpg --export --armor --output 0123ABCD.subkey.txt 0123ABCD!
    

    Important

    Preserve the ! at the end of the command.

  3. copy all the files to the backup USB sticks

  4. export the needed public key to the unencrypted USB stick

Import#

  1. on your other devices you can simply import any type of key like this

    gpg --import ${some_key}
    

Renew expiration date#

See also

  • Extending expiration date - GnuPG - ArchWiki [1]

  • gnupg - Is it possible to export a GPG subkey’s public component? - Information Security Stack Exchange [2]

  1. get the keys. You can use the email as identifier (we are interested in the uid which in this case is a@b.com)

    gpg --list-keys a@b.com
    
  2. edit the keys. You can, for example, extend the master subkey for another 2 years while the signing (S), certification (C) and encryption (E) subkeys can be extended by 1 year. You will get an interactive interface after running the first command

    gpg --edit-key a@b.com
    
    key⏎
    expire⏎
    730⏎
    y⏎
    
    key 1⏎
    expire⏎
    365⏎
    y⏎
    key 1⏎
    
    key 2⏎
    expire⏎
    365⏎
    y⏎
    key 2⏎
    
    key 3⏎
    expire⏎
    365⏎
    y⏎
    key 3⏎
    
    save⏎
    
    exit⏎
    
  3. re-export and share you public key(s)

Note

There is no need to update the backups or re-export the secret key.

Add new email id#

  1. edit the key: create a new email and set ultimate trust

    gpg --edit-key a@b.com
    
    adduid⏎
    
              # follow the instructions
    
    2⏎        # the id of the new email (usually 2 if you had only one email before)
    
    primary⏎  # set the new email as primary
    
    trust⏎
    5⏎        # set ultimate trust for the new email
    
    save⏎
    exit⏎
    
  2. re-export and share you public key(s)

Note

There is no need to update the backups or re-export the secret key.

Keyoxide setup#

Keyoxide is a website independent way of claiming ownership of web profiles such as DNS records, Gitea, Gitlab, Gitlab and other profiles.

If you have a look at the Keyoxide homepage you will find a list of supported services. In this example we will verify a DNS domain with Keyoxide

See also

  • Keyoxide? — Keyoxide Docs [6]

  • OpenPGP with GnuPG — Keyoxide Docs [7]

  • Using GnuPG — Keyoxide Docs [8]

  • DNS — Keyoxide Docs [9]

  • gitea_proof - Codeberg.org [10]

  1. generate a key pair

  2. edit you keypair. In this example we will add a DNS claim

    gpg --edit-key a@b.com
    
    uid 1⏎
    notation⏎
    proof@ariadne.id=dns:yourdomain.org?type=TXT⏎
    save⏎
    
  3. export the public key: export the whole key, not subkeys

  4. you can check the notations like this

    gpg --edit-key a@b.com
    
    showpref⏎
    exit⏎
    
  5. get the public key fingerprint, without spaces

    gpg --with-colons --keyid-format long --list-keys a@b.com
    

    The key fingerprint corresponds to one of the fpr lines

  6. Add the proof as a TXT record

    openpgp4fpr:${fingerprint}
    
  7. upload the public key to keys.openpgp.org

Important

If you need to add a claim after , just add it, export the whole public key and upload it to keys.openpgp.org. There is no need to do any backups in this case.

Troubleshooting#

Problem with the agent#

If you get gpg: problem with the agent: Permission denied while signing append pinentry-mode loopback to ~/.gnupg/gpg.conf

See also

  • 18.04 - gpg: problem with the agent: Permission denied - Ask Ubuntu [3]

Footnotes