It is recommanded to have one master key to create subkeys that will eventually be used to sign or encrypt. Of course the master key need to be safely stored offline to avoid loss or theft/impersonation.
GnuPG is used in this tip.
The master key will only be able to create other keys.
gpg --expert --full-generate-key
Then answer some questions:
gpg (GnuPG) 2.2.23; Copyright (C) 2020 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
-> (8) RSA (set your own capabilities)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(13) Existing key
(14) Existing key from card
Your selection? 8
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
-> (S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? S
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify Encrypt
(S) Toggle the sign capability
-> (E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? E
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
-> (Q) Finished
Your selection? Q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
-> Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
-> Key is valid for? (0) 5y
Key expires at Wed Nov 12 10:26:22 2025 CET
-> Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
-> Real name: Your Name
-> Email address: your@mail.local
Comment:
You selected this USER-ID:
"Your Name <your@mail.local>"
-> Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 9581D2989F065B44 marked as ultimately trusted
gpg: revocation certificate stored as '/home/xxxx/.gnupg/openpgp-revocs.d/E938C880E3CA54814E1C93629581D2989F065B44.rev'
public and secret key created and signed.
pub rsa4096 2020-11-13 [C] [expires: 2025-11-12]
E938C880E3CA54814E1C93629581D2989F065B44
uid Your Name <your@mail.local>
The subkey will only be able to sign/encrypt.
gpg --expert --edit-key your@mail.local
Then add a key:
addkey
And answer some questions: the same as above except that:
Export the master key:
gpg --armor --export-secret-key $MASTERKEYID > masterkey_$MASTERKEYID.sec
And its public key:
gpg --armor --export $MASTERKEYID > masterkey_$MASTERKEYID.asc
And the revocation key:
gpg --gen-revoke $MASTERKEYID > masterkey_$MASTERKEYID.rev
or simply
/home/xxxx/.gnupg/openpgp-revocs.d/$MASTERKEYID.rev masterkey_$MASTERKEYID.rev
Export the subkey:
gpg --armor --export-secret-subkeys $SUBKEYID > subkey_$SUBKEYID.sec
The master key needs to be backuped on an offline storage. So put masterkey_$MASTERKEYID.sec somewhere secure.
The revocation key of the master key needs to be stored somewhere else. It’s probably better to store it offline too.
Now that we have backuped the master key, it can be deleted from your GnuPG store. It’s indeed a security risk to keep it online.
gpg --delete-secret-keys $MASTERKEYID
gpg --delete-keys $MASTERKEYID
Your GnuPG store should be empty:
gpg --list-keys
The previous commands removed everything, we need to reimport the subkey:
gpg --import < $SUBKEYID.sec
You’ll need to trust it:
gpg --expert --edit-key your@mail.local
Then enter:
> trust
> ultimate
To check it’s ok:
gpg -K
You should see a “#” next to the master key:
11:00:10 titou@trooper ~/gpg$ gpg -K
sec# rsa4096 2020-11-13 [C] [expire : 2025-11-12]
E938C880E3CA54814E1C93629581D2989F065B44
uid [ ultime ] Your Name <your@mail.local>
ssb rsa4096 2020-11-13 [SE] [expire : 2025-11-12]
This means that there is a known chain but the content are not available.
The password can be updated and be different from the one stored with the master key:
gpg --expert --edit-key your@mail.local
Then enter:
> password
Now you can public your master public key to a PKI server like https://keys.openpgp.org/.
And you can sign / encrypt documents.
Remove files you won’t need:
rm -f \
masterkey_$MASTERKEYID.sec \
/home/xxxx/.gnupg/openpgp-revocs.d/$MASTERKEYID.rev masterkey_$MASTERKEYID.rev \