Generate Keys
I usually create one master key with three subkeys each with its own capability, so after these steps you will have the following files:
- Master Key
- Subkeys File
- Public Key
- Revocation Certificate
- Backup of trustdb (ownertrust)
GnuPG has an interactive mode for creating keys. I recommend using it if you are
new to all of this. You can get it via the command gpg --expert --full-generate-key
. I won't cover this mode here, but you can find some awesome
articles, which I've referenced in the credits section of the
introduction to this part.
Keep in mind that everything here should be done in the secure
environment. Do not wonder about the amnesia
part in some
paths in the next sections. This is the default user in Tails.
Generate Master Key
The master key will be protected with a passphrase. You should pick a strong one.
$ gpg --batch --passphrase "<PASSPHRASE>" --quick-generate-key "Your Name <your.name@example.com>" ed25519 cert 2y
gpg: key 0x0D24A12216EC4F47 marked as ultimately trusted
gpg: directory '/home/amnesia/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/amnesia/.gnupg/openpgp-revocs.d/CF30FE521A3D8B7BDBC8BDB60D24A12216EC4F47.rev'
The last three arguments might need some explanation:
ed25519
refers to the Curve25519, so I'm using ECC instead of RSAcert
is the capability of the key and means "certification"2y
means 2 years, which is the validity of the key
In the output you can see that the revocation certificate was generated as well. This is not the case for older versions of GnuPG. There you have to generate it manually.
You'll need the fingerprint of the newly generated master key to be able to add the subkeys. The following command will help you here. The first part of the output is the fingerprint followed by the user id.
$ gpg --list-options show-only-fpr-mbox --list-secret-keys
CF30FE521A3D8B7BDBC8BDB60D24A12216EC4F47 your.name@example.com
In the example above the fingerprint is
CF30FE521A3D8B7BDBC8BDB60D24A12216EC4F47
.
Add Subkeys
The next three commands will add the subkeys for signing, authentication, and
encryption. Note that the algorithm cv25519
is used for encryption.
$ gpg --batch --pinentry-mode loopback --passphrase "<PASSPHRASE>" --quick-add-key <FINGERPRINT> ed25519 sign 2y
$ gpg --batch --pinentry-mode loopback --passphrase "<PASSPHRASE>" --quick-add-key <FINGERPRINT> ed25519 auth 2y
$ gpg --batch --pinentry-mode loopback --passphrase "<PASSPHRASE>" --quick-add-key <FINGERPRINT> cv25519 encrypt 2y
Listing the secret keys should now look like this:
$ gpg --list-secret-keys
/home/amnesia/.gnupg/pubring.kbx
--------------------------------
sec ed25519/0x0D24A12216EC4F47 2020-01-21 [C] [expires: 2022-01-20]
Key fingerprint = CF30 FE52 1A3D 8B7B DBC8 BDB6 0D24 A122 16EC 4F47
uid [ultimate] Your Name <your.name@example.com>
ssb ed25519/0x75F08B9921FBD174 2020-01-21 [S] [expires: 2022-01-20]
ssb ed25519/0x2E09AC27FDCEA205 2020-01-21 [A] [expires: 2022-01-20]
ssb cv25519/0x563B096829D1FB28 2020-01-21 [E] [expires: 2022-01-20]
Backup Keys
Now it is time to plug in the USB flash drive that should be used to store the master key and a backup of all the other keys. Mount it if the system hasn't done it automatically.
I usually create a directory on that flash drive named after the fingerprint.
$ mkdir /path/to/drive/<FINGERPRINT>
GnuPG should have created a revocation certificate automatically when the master
key was generated. Usually this is written to
~/.gnupg/openpgp-revocs.d/<FINGERPRINT>.rev
.
Copy it over to the fash drive:
$ cp ~/.gnupg/openpgp-revocs.d/<FINGERPRINT>.rev /path/to/drive/<FINGERPRINT>/revocation-certificate.rev
Now export the public key, master key and the subkeys. You will have to enter the passphrase when exporting the master key and the subkeys.
$ gpg --export --armor --output /path/to/drive/<FINGERPRINT>/public.asc <FINGERPRINT>
$ gpg --export-secret-keys --armor --output /path/to/drive/<FINGERPRINT>/private.asc <FINGERPRINT>
$ gpg --export-secret-subkeys --armor --output /path/to/drive/<FINGERPRINT>/subkeys.private.asc <FINGERPRINT>
Following the example from the previous sections with the fingerprint
CF30FE521A3D8B7BDBC8BDB60D24A12216EC4F47
you should now have these files on
your flash drive.
$ ls -1 /media/amnesia/USBDRIVE/CF30FE521A3D8B7BDBC8BDB60D24A12216EC4F47/
private.asc
public.asc
revocation-certificate.rev
subkeys.private.asc
You can now unmount the flash drive and keep it in a secure place. Since it contains the master key, you should only attach this flash drive in your secure environment.
Copy Public Key, Subkeys and Ownertrust
For now you have everything in your secure environment and on the USB flash drive that should not be attached to your regular system.
To be able to use the keys you've created so far, you have to copy the public key, the subkeys and a backup of the trustdb (ownertrust) to another flash drive.
If you like you can create a directory named after fingerprint on that flash drive too.
$ mkdir /path/to/drive/<FINGERPRINT>
Now export the public key, the subkeys and the backup of the trustdb. You will also be asked for the passphrase again.
$ gpg --export --armor --output /path/to/drive/<FINGERPRINT>/public.asc <FINGERPRINT>
$ gpg --export-secret-subkeys --armor --output /path/to/drive/<FINGERPRINT>/subkeys.private.asc <FINGERPRINT>
$ gpg --export-ownertrust > /path/to/drive/<FINGERPRINT>/otrust.txt
Technically the backup of the trustdb (ownertrust) is not scoped to the fingerprint. Since I erase this flash drive as soon as I've imported the keys on my regular system, I didn't care about the structure.
The flash drive should now contains these three files:
- otrust.txt
- public.asc
- subkeys.private.asc
Now you can shut down the secure environment and boot your regular system again.