Notes / Generating OpenPGP Keys

(This was originally on my old website, I have resurrected it here.)

We look at what makes up OpenPGP keys, and how to properly generate them with GnuPG.

Key structure

A key pair consists of a public key and a private key.

An OpenPGP key consists of a primary key pair and zero or more subkey pairs, as well as associated metadata.

OpenPGP key {
    primary key pair {
        public
        private
    }
    subkey {
        public
        private
    }
    subkey {
        public
        private
    }
    ...
    metadata
}

A key can have the following roles (non-exclusive):

A primary key must be able to certify.

Subkeys are related to the primary key pair by being certified by it.

Generating keys

We should do this in a secure environment, e.g. air-gapped tails.

An overview of what we will do:

  1. Generate a RSA primary key pair that can only certify.
  2. Add subkeys for encryption, authentication, and signing.
  3. Backup keys and generate a revocation certificate.
  4. Remove the primary private key.

Some rationale for this is that if our keys are compromised, we wont lose the trust our primary key has built up, since we only need to revoke the compromised subkeys. Note the revocation certificate only applys to the primary key, revoke the subkeys under --edit-key.

Generate

The state of the keyring is

~ $ gpg --list-key
/home/x/.gnupg/pubring.gpg
--------------------------
pub   2048R/EB73C2D1 2016-06-25
uid                  First Last 

~ $ gpg --list-secret-key
/home/x/.gnupg/secring.gpg
--------------------------
sec   2048R/EB73C2D1 2016-06-25
uid                  First Last 

Add subkeys

The state of the keyring is

~ $ gpg --list-key
/home/x/.gnupg/pubring.gpg
--------------------------
pub   2048R/EB73C2D1 2016-06-25
uid                  First Last 
sub   2048R/FEDFA9E8 2016-06-25
sub   2048R/386F33A1 2016-06-25
sub   2048R/DD7B67AE 2016-06-25

~ $ gpg --list-secret-key
/home/x/.gnupg/secring.gpg
--------------------------
sec   2048R/EB73C2D1 2016-06-25
uid                  First Last 
ssb   2048R/FEDFA9E8 2016-06-25
ssb   2048R/386F33A1 2016-06-25
ssb   2048R/DD7B67AE 2016-06-25

Backup and revocation certificate

Remove primary private key

The state of the keyring is

~ $ gpg --list-keys
/home/x/.gnupg/pubring.gpg
--------------------------
pub   2048R/EB73C2D1 2016-06-25
uid                  First Last 
sub   2048R/FEDFA9E8 2016-06-25
sub   2048R/386F33A1 2016-06-25
sub   2048R/DD7B67AE 2016-06-25

~ $ gpg --list-secret-keys
/home/x/.gnupg/secring.gpg
--------------------------
sec#  2048R/EB73C2D1 2016-06-25
uid                  First Last 
ssb   2048R/FEDFA9E8 2016-06-25
ssb   2048R/386F33A1 2016-06-25
ssb   2048R/DD7B67AE 2016-06-25