GPG

As many tutorials point out it is better to keep the master key stored in an offline computer and to export subkeys when needed.

In this tutorial we use

• a@b.com as the email that identifies the key (key id)

• EF987654 as the fingerprint of the public key

• 0123ABCD as the fingerprint of the public signing subkey

Generate a key pair

We will generate a gpg keypair on an air gapped computer for added security. We will also use one or more USB sticks as backups. The computer hard drive and USB sticks must be encrypted for added security. You can then use a third USB stick to transfer public key files. This last one does not need to be encrypted.

Vedi anche

• GnuPG - ArchWiki 4

1. get an old laptop you do not use anymore

2. install Debian stable on it using LUKS encryption

3. after the installation is finished disconnect the computer from the network

4. generate a key pair

   gpg --full-gen-key
   

   You may use 4096 as key size and a functional email as identity

Export

Exporting a keypair means that you can backup you private keys and publish your public keys. If you want your public key to be known easily you can publish it on a keyserver. Use an unencrypted USB stick to transfer public key files on other computers

Vedi anche

• disaster recovery - How to backup GPG? - Server Fault 5

1. export everyting on the home directory

   cd ~
   gpg --export --armor a@b.com > a@b.com.pub.asc
   gpg --export-secret-keys --armor a@b.com > a@b.com.priv.asc
   gpg --export-secret-subkeys --armor a@b.com > a@b.com.sub_priv.asc
   gpg --export-ownertrust > ownertrust.txt
   

2. if you need to export a secret subkey only, for example for GIT signing, you can use this command

   gpg --export-secret-subkeys --armor 0x0123ABCD! > 0x0123ABCD.secret_subkey.asc
   

   Importante

   Preserve the ! at the end of the command.

   To export the public subkey use this command

   gpg --export --armor --output 0123ABCD.subkey.txt 0123ABCD!
   

   Importante

   Preserve the ! at the end of the command.

3. copy all the files to the backup USB sticks

4. export the needed public key to the unencrypted USB stick

Import

1. on your other devices you can simply import any type of key like this

   gpg --import ${some_key}
   

Renew expiration date

Vedi anche

• Extending expiration date - GnuPG - ArchWiki 1

• gnupg - Is it possible to export a GPG subkey’s public component? - Information Security Stack Exchange 2

1. get the keys. You can use the email as identifier (we are interested in the uid which in this case is a@b.com)

   gpg --list-keys a@b.com
   

2. edit the keys. You can, for example, extend the master subkey for another 2 years while the signing (S), certification (C) and encryption (E) subkeys can be extended by 1 year. You will get an interactive interface after running the first command

   gpg --edit-key a@b.com
   
   key⏎
   expire⏎
   730⏎
   y⏎
   
   key 1⏎
   expire⏎
   365⏎
   y⏎
   key 1⏎
   
   key 2⏎
   expire⏎
   365⏎
   y⏎
   key 2⏎
   
   key 3⏎
   expire⏎
   365⏎
   y⏎
   key 3⏎
   
   save⏎
   
   exit⏎
   

3. re-export and share you public key(s)

Nota

There is no need to update the backups or re-export the secret key.

Add new email id

1. edit the key: create a new email and set ultimate trust

   gpg --edit-key a@b.com
   
   adduid⏎
   
             # follow the instructions
   
   2⏎        # the id of the new email (usually 2 if you had only one email before)
   
   primary⏎  # set the new email as primary
   
   trust⏎
   5⏎        # set ultimate trust for the new email
   
   save⏎
   exit⏎
   

2. re-export and share you public key(s)

Nota

There is no need to update the backups or re-export the secret key.

Keyoxide setup

Keyoxide is a website independent way of claiming ownership of web profiles such as DNS records, Gitea, Gitlab, Gitlab and other profiles.

If you have a look at the Keyoxide homepage you will find a list of supported services. In this example we will verify a DNS domain with Keyoxide

Vedi anche

• Keyoxide? — Keyoxide Docs 6

• OpenPGP with GnuPG — Keyoxide Docs 7

• Using GnuPG — Keyoxide Docs 8

• DNS — Keyoxide Docs 9

• gitea_proof - Codeberg.org 10

1. generate a key pair

2. edit you keypair. In this example we will add a DNS claim

   gpg --edit-key a@b.com
   
   uid 1⏎
   notation⏎
   proof@ariadne.id=dns:yourdomain.org?type=TXT⏎
   save⏎
   

3. export the public key

4. you can check the notations like this

   gpg --edit-key a@b.com
   
   showpref⏎
   exit⏎
   

5. get the public key fingerprint, without spaces

   gpg --with-colons --keyid-format long --list-keys a@b.com
   

   The key fingerprint corresponds to one of the fpr lines

6. Add the proof as a TXT record

   openpgp4fpr:${fingerprint}
   

Troubleshooting

Problem with the agent

If you get gpg: problem with the agent: Permission denied while signing append pinentry-mode loopback to ~/.gnupg/gpg.conf

Vedi anche

• 18.04 - gpg: problem with the agent: Permission denied - Ask Ubuntu 3

Footnotes

1

https://wiki.archlinux.org/title/GnuPG#Extending_expiration_date GNU Free Documentation License 1.3 or later, Copyright (c) ArchWiki contributors

2

https://security.stackexchange.com/a/226986 CC BY-SA 4.0, Copyright (c) 2020 qrtLs (at security.stackexchange.com)

3

https://askubuntu.com/a/1158297 CC BY-SA 4.0, Copyright (c) 2021 Deathgrip (at askubuntu.com)

4

https://wiki.archlinux.org/title/GnuPG

5

https://serverfault.com/a/1040984 CC BY-SA 4.0, Copyright (c) 2020-2021, serverfault.com contributors

6

https://docs.keyoxide.org/understanding-keyoxide/keyoxide/ CC BY-NC-SA 4.0, Copyright (c) Keyoxide contributors

7

https://docs.keyoxide.org/using-cryptography/openpgp-gnupg/ CC BY-NC-SA 4.0, Copyright (c) Keyoxide contributors

8

https://docs.keyoxide.org/openpgp-profiles/using-gnupg/ CC BY-NC-SA 4.0, Copyright (c) Keyoxide contributors

9

https://docs.keyoxide.org/service-providers/dns/ CC BY-NC-SA 4.0, Copyright (c) Keyoxide contributors

10

https://codeberg.org/forgejo/gitea_proof unknown license