I wrote about PGP a while ago and showed how to generate a key. Since then I’ve managed to do what you should never, ever do: forget your key’s passphrase. And I didn’t generate a revocation cert to boot. So I was screwed and had to generate a new one. Forunately not many, and by “not many” I mean zero, people were using that public key which I had uploaded to public keyservers.
I generated a new one and spent a lot of time reading about PGP best practices. Here’s what I learned.
How to Generate Strong Keys and Secure Them
- Use GnuPG version >= 1.4 to make it easier to generate and manage keys
- You can
brew install gpg2on a Mac
- You can
- Append the following to
~/.gnupg/gpg.conf(or whatever the latest strongest encryption algorithms are):
1 2 3
- Choose 1 at this prompt
1 2 3 4 5
- Set an expiration date of at most two years (you can always extend it)
- Set a strong passphrase that you’ll remember!
- Use the maximum number of bits for your key
- Generate revocation cert(s)
gpg --gen-revoke <key id>key id can be the portion of the fingerprint you see in
gpg --list-keysor the uid if it’s unique
- Use subkeys for encryption (this is automatically done if you choose 1 above) and another for
signing. The following was copied from the Debian wiki.
- Here’s the best paragraph from that wiki page:
You should keep your private master key very, very safe. However, keeping all your keys extremely safe is inconvenient: every time you need to sign a new package upload, you need to copy the packages onto suitable portable media, go into your sub-basement, prove to the armed guards that you’re you by using several methods of biometric and other identification, go through a deadly maze, feed the guard dogs the right kind of meat, and then finally open the safe, get out the signing laptop, and sign the packages. Then do the reverse to get back up to your Internet connection for uploading the packages.
gpg --edit-key <your master key id>
- At the prompt, enter
- Enter passphrase
- Choose the “RSA (sign only)” key type and pick the maximum bits
- Choose an expiry date
- Backup the
~/.gnupgdirectory and store it somewhere secure and offline. Do this before deleting the private master key in the next step.
gpg --export-secret-key <your master key id> | gpg --list-packetsdoes not show
gnu-dummy 52K, algo: 0, .... This means your private master key is there.
gpg --export-secret-subkeys <your master key id> > secret-subkeys
gpg --delete-secret-key <your master key id>
gpg --import secret-subkeys
- Verify that
gpg -Kshows a “sec#” instead of just “sec” for your private key. That means the secret key is not really there. You can see the presence of a dummy OpenPGP packet if you run
gpg --export-secret-key <your master key id> | gpg --list-packets.
gpg --keyserver some.keyserver.com --send-keys <your master key id>to publish it to the world
How to Revoke
If you ever need to revoke your keys,
How to Sign Other People’s keys
Sign their key with a certain level of trust.
Export the signed key and email it back to the signee.
The signee needs to import the signed key
and send your certification to the keyserver.
Recipients decrypt with
gpg -u email@example.com --output msg --decrypt msg.asc.
Recipients verify with
gpg --verify msg.sig msg. They should see “Good signature from…”