Switch branches/tags
Nothing to show
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
208 lines (131 sloc) 5.89 KB

GnuPG Notes

temporarily change keystore location

Useful for testing and for offline keys. Use Live CD for offline keys! Tails brings all you need in a live CD.

export GNUPGHOME=/save/location

some default preferences

cat >>~/.gnupg/gpg.conf <<EOF
personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
  • hashing algorithms
  • disable version display
  • set default policy url for signing

key generation

My recommendation:

gpg --expert --gen-key # for master key
gpg --expert --edit-key $KEYID
gpg> addkey # repeat for all subkeys
gpg> quit
gpg --output $KEYID-revocation-cert.gpg --gen-revoke $KEYID
gpg --quiet --batch --yes --output $KEYID-secret-subkeys.gpg --export-secret-subkeys $KEYID
gpg --quiet --batch --yes --output $KEYID-secret-master-key.gpg --export-secret-keys $KEYID
gpg --quiet --batch --yes --output $KEYID-public.gpg --export $KEYID
  • master key: capability certify ( = for signing keys)
  • separate subkeys for each other capability
  • set an expiration date on the master key and the subkeys. remind yourself to rotate subkeys and move the master key expiration date before it expires. i find 6 months to 1 year a reasonable span.

regular keyring: import only subkeys

gpg --import $KEYID-public.gpg $KEYID-secret-subkeys.gpg

when signing, specify signing policy

gpg --ask-cert-level --cert-policy-url --sign-key ABCDABCD

key transition statement


RSA 8192 bit keys

You don't really ever need a larger key than 4096. If there's serious advances in breaking 2048+ bit RSA keys, they will go against all keysizes.

GnuPG no longer allows you to create larger keys. In previous versions, the batch mode allowed keys up to 8192 bit:

gpg --batch --gen-key <<EOF
Key-Type: RSA
Key-Length: 8192
Key-Usage: cert
Name-Real: ME
Name-Email: EMAIL
Passphrase: PASSWORD

Offline Key Storage

This section is for paranoid people only :)

You can split your secret master key into several parts to store them in different locations. This example uses Shamir's Secret Sharing. We are creating 3 parts of which you only need 2 in order to recover your key. You can change the parameters for your own needs. (ssss-split and gfsplit are already installed in Tails)

Splitting the Passphrase

$ ssss-split -t 2 -n 3 -w name_me

Type your password and hit enter. The output should look like the following:


Recovering the Passphrase

$ ssss-combine -t 2

Enter 2 shares separated by newlines:

Share [1/2]: name_me-1-ef3e98de26ce8400
Share [2/2]: name_me-2-808d8e0fc8779375

The output should look like the following:

Resulting secret: P@ssw0rd

Splitting the Key

$ gfsplit -n 2 -m 3 secretKeyFile 
$ ls

The output should look like the following:

secretKeyFile secretKeyFile.050 secretKeyFile.179 secretKeyFile.193

Recovering the Key

$ gfcombine secretKeyFile.050 secretKeyFile.179 	

done. Your keyfile should be recovered.



sudo apt-get install pcscd gpgsm


gpg --card-status
gpg --change-pin
gpg --card-edit

Generate Subkeys on Smartcard

You don't actually want to do that because you will not have backup, except maybe for authentication subkeys.

gpg --edit-key $KEYID
gpg> addcardkey

Move Subkeys to Smartcard

Make a local copy first, as subkey will be transferred to the card and the local copy rendered unusable.

gpg -a --export-secret-keys $KEYID > $KEYID.key.asc

gpg --edit-key $KEYID
gpg> toggle
gpg> key 1 # select encryption subkey
gpg> keytocard
gpg> key 2 # select signature subkey
gpg> keytocard
gpg> save

Authenticate to a SSH server with GPG Smartcard

Make a Authentication Subkey on the Smartcard

gpg --edit-key $KEYID
gpg> addcardkey

Then choose option 3. Enter passphrase and key when queried.

Put the following in a text file, make sure it is run everytime your Desktop environment or window manager starts up:

gpg-agent --daemon --enable-ssh-support > ~/.gnupg/gpg-agent.env
source ~/.gpg-agent.env

Log out of and into your Desktop environment.

Check if it is working

ssh-add -l

Copy the public key over to the server

gpgkey2ssh $AUTHSUBKEY > authorized_keys
scp authorized_keys user@server:~/.ssh/authorized_keys

Or, alternatively, use ssh-copyid

ssh-copyid user@server

Now when you ssh into this box ssh should ask for your PIN instead of your passphrase.