Setting up properly a gpg key requires a lot of reading. This article documents fully how I set up my gpg keys while never exposing the master secret key on a online computer.
Requirements and references
- A computer that is not connected to the network.
- A live linux distribution (I used Debian live) on a USB stick.
- USB keys for backup, and other backups if desired.
- I use GnuPG throughout.
I mostly follow the Debian wiki's page on subkeys. I comment a bit more on the offline aspect and try to be as complete as possible in all the steps that are needed. This page is intended in part as a reference for myself.
After following the steps below, you will have
- A keyring on your computer with: a public only master key and full signing and encryption sub-keys.
- Several backups of your full master keys.
- A revocation certificate for your master key, both digital and on paper.
As the live linux does not use the hard drive of the host machine, there is no risk of leaving your files on it.
Boot the live linux distribution on a computer that is not connected to the network.
Generate the key
1(RSA and RSA),
0(key never expires),
y(to confirm your choice). Enter your real name (that is your user ID for gpg) and the email address that is associated with the ID. Select
Enter and repeat your password. Beware, if you forget this password, your key will be unusable and you cannot remove it from the key servers!
Your master key is created, note its ID. It may take some time as gpg needs some entropy from your computer activity. Doing some task on the computer should help.
Generate the subkeys
gpg --edit-key ID
addkeyand your password. Select
4(RSA, sign only),
0(never expires) and
y(to confirm your choice). Repeat
yto have the key created.
In my case, gpg had generated a 4096 encryption key already. If this did not happen for you, repeat the process for an encryption key. Exit gpg and enter
yto save the changes.
Generate a revocation certificate
gpg --gen-revoke ID > revocation.ID.txt
y(to approve the generation),
0(no reason specified), optionally enter a comment and finally confirm with
y. Enter your password. The file
revocation.ID.txtcontains a key that can be used to invalidate permanently your key. It should also be kept offline! It is extremely useful to have a backup of this certificate as you cannot generate it without the password.
Make a copy of the key and of the certificate
tar cf full.gnupg.tar .gnupg
revocation.ID.txtto at least two USB sticks that you will keep safe. You may want to add a CD-R and a print (yes print, you can OCR it later in case your USB sticks suffered) of the ASCII dump of the key.
Delete the secret key and import the secret subkeys only
gpg --export-secret-subkeys ID > secret_subkeys gpg --delete-secret-key ID gpg --import secret_subkeys
gpg will ask for confirmation before deleting your key, type
gpg -K should show your master key with a
# in front, denoting the
absence of the secret master key.
Copy the files to your computer
On the offline computer:
tar cf nosec.gnupg.tar .gnupg cp nosec.gnupg.tar /path/to/removable/drive
On the online computer:
tar xf /path/to/removable/drive/nosec.gnupg.tar
Your online computer is now able to send signed and encrypted email (with the subkeys). You will need your master secret key to generate other subkeys or to sign other people's key.
To make your key public, send them to a key server
gpg --keyserver hkp://pool.sks-keyservers.net --send-key ID