Pierre de Buyl's homepage

Set up gpg keys offline

Setting up properly a gpg key requires a lot of reading. This article documents fully how I set up my gpg keys while never exposing the master secret key on a online computer.

Requirements and references

  • A computer that is not connected to the network.
  • A live linux distribution (I used Debian live) on a USB stick.
  • USB keys for backup, and other backups if desired.
  • I use GnuPG throughout.

I mostly follow the Debian wiki's page on subkeys. I comment a bit more on the offline aspect and try to be as complete as possible in all the steps that are needed. This page is intended in part as a reference for myself.


After following the steps below, you will have

  1. A keyring on your computer with: a public only master key and full signing and encryption sub-keys.
  2. Several backups of your full master keys.
  3. A revocation certificate for your master key, both digital and on paper.

As the live linux does not use the hard drive of the host machine, there is no risk of leaving your files on it.


  1. Boot the live linux distribution on a computer that is not connected to the network.

  2. Generate the key

    gpg --gen-key

    Select 1 (RSA and RSA), 4096 (keysize), 0 (key never expires), y (to confirm your choice). Enter your real name (that is your user ID for gpg) and the email address that is associated with the ID. Select O for Okay.

    Enter and repeat your password. Beware, if you forget this password, your key will be unusable and you cannot remove it from the key servers!

    Your master key is created, note its ID. It may take some time as gpg needs some entropy from your computer activity. Doing some task on the computer should help.

  3. Generate the subkeys

    gpg --edit-key ID

    Enter addkey and your password. Select 4 (RSA, sign only), 2048 (keysize), 0 (never expires) and y (to confirm your choice). Repeat y to have the key created.

    In my case, gpg had generated a 4096 encryption key already. If this did not happen for you, repeat the process for an encryption key. Exit gpg and enter y to save the changes.

  4. Generate a revocation certificate

    gpg --gen-revoke ID > revocation.ID.txt

    Enter y (to approve the generation), 0 (no reason specified), optionally enter a comment and finally confirm with y. Enter your password. The file revocation.ID.txt contains a key that can be used to invalidate permanently your key. It should also be kept offline! It is extremely useful to have a backup of this certificate as you cannot generate it without the password.

  5. Make a copy of the key and of the certificate

    tar cf full.gnupg.tar .gnupg

    Copy full.gnupg.tar and revocation.ID.txt to at least two USB sticks that you will keep safe. You may want to add a CD-R and a print (yes print, you can OCR it later in case your USB sticks suffered) of the ASCII dump of the key.

  6. Delete the secret key and import the secret subkeys only

    gpg --export-secret-subkeys ID > secret_subkeys
    gpg --delete-secret-key ID
    gpg --import secret_subkeys

gpg will ask for confirmation before deleting your key, type y. Issuing gpg -K should show your master key with a # in front, denoting the absence of the secret master key.

  1. Copy the files to your computer

    On the offline computer:

    tar cf nosec.gnupg.tar .gnupg
    cp nosec.gnupg.tar /path/to/removable/drive

    On the online computer:

    tar xf /path/to/removable/drive/nosec.gnupg.tar

    Your online computer is now able to send signed and encrypted email (with the subkeys). You will need your master secret key to generate other subkeys or to sign other people's key.

    To make your key public, send them to a key server

    gpg --keyserver hkp://pool.sks-keyservers.net --send-key ID

Comments !

Generated with Pelican. Theme based on MIT-licensed Skeleton.