GPG Key Lifecycle
Contents
GPG Key Lifecycle#
Introduction#
Create a key, with a limited lifetime.
Update that key when the time comes.
How to fix a key ring for
offline master key
use.
GPG Lifecycle - Initial keypair#
Create a new master keypair#
$ gpg --expert --full-generate-key
This command will generate a new keypair while prompting for the needed input. It also creates a UID, and an encryption subkey.
Select the kind of key you want: RSA and RSA
What keysize do you want? 4096
Key is valid for? 0 (key does not expire)
Real name: 5 chars or more; cannot start with a digit
Email address: needs 1 or more characters followed by @, followed by 1 or more characters
Comment: (optional) describes key use
Passphrase: complex passphrase
Create a new (expiring) signing subkey#
Now we will add a new subkey that has an expiration date. This is not foolproof, but the key will need to be cycled every year (while keeping the master secret key offline) to help minimize damage should the secret key get compromised.
$ gpg --edit-key user@key.com
gpg> addkey
select what kind of key you want: (4) RSA (sign only)
what keysize do you want? 4096
key is valid for? 2023-01-01
gpg> quit
save changes? y
Generate a revocation certificate for the master keypair#
This can be used in case the master secret key is compromised. Store this offline.
$ gpg --generate-revocation --output user@key.com-revocation-cert.gpg
Export master public/private keypair#
This is the master public AND PRIVATE keypair. Store this offline.
$ gpg --export --armor --output user@key.com-public.gpg
$ gpg --export-secret-keys --armor --output user@key.com-private.gpg
Delete the master secret key#
This step is going to remove the master secret key from the keyring (located in ~/.gnupg/
) so that in case the keyring
is compromised damage can be minimized. The subkey will be used for the next year to do the commit/tag signing.
We can always reimport the master secret key (with a complex passphrase), and indeed we will need to do so once per year to generate a new valid signing key. This was exported in the step above.
GPG doesn’t make this particularly easy, but the following is the new ‘quick way’ of accomplishing this task. Make sure
to use the keygrip of the sec
key (‘Secret Key’; listed on top) which is the master keypair secret key used for
certification purposes.
$ gpg --list-secret-keys --with-keygrip
$ gpg-connect-agent "DELETE_KEY <keygrip>" /bye
Note
Alternatively, you can remove the file directly via:
$ rm ~/.gnupg/private-keys-v1.d/<keygrip>.key
Ensure that the secret key is gone by listing them again. It will be denoted as sec#
now.
$ gpg --list-secret-keys
GPG Lifecycle - Yearly updates#
Every year you need to import the master keypair secret key, generate a new subkey, and then remove the master secret key again.
$ gpg --import user@key-private.gpg
Generate a new subkey.
$ gpg --edit-key user@key.com
gpg> addkey
select what kind of key you want: (4) RSA (sign only)
what keysize do you want? 4096
key is valid for? 2024-01-01
gpg> quit
save changes? y
Now export our keys once again to update our offline backup. These new files should overwrite our old files. We do not need to keep the older files (generated last year) around any longer. Store this offline.
$ gpg --export --armor --output user@key.com-public.gpg
$ gpg --export-secret-keys --armor --output user@key.com-private.gpg
And finally remove our master secret key from the keyring (see more detailed description above).
$ gpg --list-secret-keys --with-keygrip
$ gpg-connect-agent "DELETE_KEY <keygrip>" /bye
GPG Lifecycle - Import a public key#
Obtain the public key from a trusted source. Then import it to your keyring.
$ gpg --import user@key-public.gpg
Now that the public key is in your GPG keyring you can verify signatures.