GPG#
As many tutorials point out it is better to keep the master key stored in an offline computer and to export subkeys when needed.
In this tutorial we use
a@b.com
as the email that identifies the key (key id)EF987654
as the fingerprint of the public key0123ABCD
as the fingerprint of the public signing subkey
Generate a key pair#
We will generate a gpg keypair on an air gapped computer for added security. We will also use one or more USB sticks as backups. The computer hard drive and USB sticks must be encrypted for added security. You can then use a third USB stick to transfer public key files. This last one does not need to be encrypted.
Vedi anche
GnuPG - ArchWiki [4]
get an old laptop you do not use anymore
install Debian stable on it using LUKS encryption
after the installation is finished disconnect the computer from the network
generate a key pair
gpg --full-gen-key
You may use 4096 as key size and a functional email as identity
Export#
Exporting a keypair means that you can backup you private keys and publish your public keys. If you want your public key to be known easily you can publish it on a keyserver. Use an unencrypted USB stick to transfer public key files on other computers
Vedi anche
disaster recovery - How to backup GPG? - Server Fault [5]
export everyting on the home directory
cd ~ gpg --export --armor a@b.com > a@b.com.pub.asc gpg --export-secret-keys --armor a@b.com > a@b.com.priv.asc gpg --export-secret-subkeys --armor a@b.com > a@b.com.sub_priv.asc gpg --export-ownertrust > ownertrust.txt
if you need to export a secret subkey only, for example for GIT signing, you can use this command
gpg --export-secret-subkeys --armor 0x0123ABCD! > 0x0123ABCD.secret_subkey.asc
Importante
Preserve the
!
at the end of the command.To export the public subkey use this command
gpg --export --armor --output 0123ABCD.subkey.txt 0123ABCD!
Importante
Preserve the
!
at the end of the command.copy all the files to the backup USB sticks
export the needed public key to the unencrypted USB stick
Import#
on your other devices you can simply import any type of key like this
gpg --import ${some_key}
Renew expiration date#
Vedi anche
get the keys. You can use the email as identifier (we are interested in the
uid
which in this case isa@b.com
)gpg --list-keys a@b.com
edit the keys. You can, for example, extend the master subkey for another 2 years while the signing (
S
), certification (C
) and encryption (E
) subkeys can be extended by 1 year. You will get an interactive interface after running the first commandgpg --edit-key a@b.com key⏎ expire⏎ 730⏎ y⏎ key 1⏎ expire⏎ 365⏎ y⏎ key 1⏎ key 2⏎ expire⏎ 365⏎ y⏎ key 2⏎ key 3⏎ expire⏎ 365⏎ y⏎ key 3⏎ save⏎ exit⏎
re-export and share you public key(s)
Nota
There is no need to update the backups or re-export the secret key.
Add new email id#
edit the key: create a new email and set ultimate trust
gpg --edit-key a@b.com adduid⏎ # follow the instructions 2⏎ # the id of the new email (usually 2 if you had only one email before) primary⏎ # set the new email as primary trust⏎ 5⏎ # set ultimate trust for the new email save⏎ exit⏎
re-export and share you public key(s)
Nota
There is no need to update the backups or re-export the secret key.
Keyoxide setup#
Keyoxide is a website independent way of claiming ownership of web profiles such as DNS records, Gitea, Gitlab, Gitlab and other profiles.
If you have a look at the Keyoxide homepage you will find a list of supported services. In this example we will verify a DNS domain with Keyoxide
Vedi anche
edit you keypair. In this example we will add a DNS claim
gpg --edit-key a@b.com uid 1⏎ notation⏎ proof@ariadne.id=dns:yourdomain.org?type=TXT⏎ save⏎
export the public key: export the whole key, not subkeys
you can check the notations like this
gpg --edit-key a@b.com showpref⏎ exit⏎
get the public key fingerprint, without spaces
gpg --with-colons --keyid-format long --list-keys a@b.com
The key fingerprint corresponds to one of the
fpr
linesAdd the proof as a TXT record
openpgp4fpr:${fingerprint}
upload the public key to keys.openpgp.org
Importante
If you need to add a claim after , just add it, export the whole public key and upload it to keys.openpgp.org. There is no need to do any backups in this case.
Troubleshooting#
Problem with the agent#
If you get gpg: problem with the agent: Permission denied
while signing
append pinentry-mode loopback
to ~/.gnupg/gpg.conf
Vedi anche
18.04 - gpg: problem with the agent: Permission denied - Ask Ubuntu [3]
Footnotes