Generate Keys

I usually create one master key with three subkeys each with its own capability, so after these steps you will have the following files:

  • Master Key
  • Subkeys File
  • Public Key
  • Revocation Certificate
  • Backup of trustdb (ownertrust)

GnuPG has an interactive mode for creating keys. I recommend using it if you are new to all of this. You can get it via the command gpg --expert --full-generate-key. I won't cover this mode here, but you can find some awesome articles, which I've referenced in the credits section of the introduction to this part.

Keep in mind that everything here should be done in the secure environment. Do not wonder about the amnesia part in some paths in the next sections. This is the default user in Tails.

Generate Master Key

The master key will be protected with a passphrase. You should pick a strong one.

$ gpg --batch --passphrase "<PASSPHRASE>" --quick-generate-key "Your Name <your.name@example.com>" ed25519 cert 2y
gpg: key 0x0D24A12216EC4F47 marked as ultimately trusted
gpg: directory '/home/amnesia/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/amnesia/.gnupg/openpgp-revocs.d/CF30FE521A3D8B7BDBC8BDB60D24A12216EC4F47.rev'

The last three arguments might need some explanation:

  • ed25519 refers to the Curve25519, so I'm using ECC instead of RSA
  • cert is the capability of the key and means "certification"
  • 2y means 2 years, which is the validity of the key

In the output you can see that the revocation certificate was generated as well. This is not the case for older versions of GnuPG. There you have to generate it manually.

You'll need the fingerprint of the newly generated master key to be able to add the subkeys. The following command will help you here. The first part of the output is the fingerprint followed by the user id.

$ gpg --list-options show-only-fpr-mbox --list-secret-keys
CF30FE521A3D8B7BDBC8BDB60D24A12216EC4F47 your.name@example.com

In the example above the fingerprint is CF30FE521A3D8B7BDBC8BDB60D24A12216EC4F47.

Add Subkeys

The next three commands will add the subkeys for signing, authentication, and encryption. Note that the algorithm cv25519 is used for encryption.

$ gpg --batch --pinentry-mode loopback --passphrase "<PASSPHRASE>" --quick-add-key <FINGERPRINT> ed25519 sign 2y
$ gpg --batch --pinentry-mode loopback --passphrase "<PASSPHRASE>" --quick-add-key <FINGERPRINT> ed25519 auth 2y
$ gpg --batch --pinentry-mode loopback --passphrase "<PASSPHRASE>" --quick-add-key <FINGERPRINT> cv25519 encrypt 2y

Listing the secret keys should now look like this:

$ gpg --list-secret-keys
/home/amnesia/.gnupg/pubring.kbx
--------------------------------
sec   ed25519/0x0D24A12216EC4F47 2020-01-21 [C] [expires: 2022-01-20]
      Key fingerprint = CF30 FE52 1A3D 8B7B DBC8  BDB6 0D24 A122 16EC 4F47
uid                   [ultimate] Your Name <your.name@example.com>
ssb   ed25519/0x75F08B9921FBD174 2020-01-21 [S] [expires: 2022-01-20]
ssb   ed25519/0x2E09AC27FDCEA205 2020-01-21 [A] [expires: 2022-01-20]
ssb   cv25519/0x563B096829D1FB28 2020-01-21 [E] [expires: 2022-01-20]

Backup Keys

Now it is time to plug in the USB flash drive that should be used to store the master key and a backup of all the other keys. Mount it if the system hasn't done it automatically.

I usually create a directory on that flash drive named after the fingerprint.

$ mkdir /path/to/drive/<FINGERPRINT>

GnuPG should have created a revocation certificate automatically when the master key was generated. Usually this is written to ~/.gnupg/openpgp-revocs.d/<FINGERPRINT>.rev.

Copy it over to the fash drive:

$ cp ~/.gnupg/openpgp-revocs.d/<FINGERPRINT>.rev /path/to/drive/<FINGERPRINT>/revocation-certificate.rev

Now export the public key, master key and the subkeys. You will have to enter the passphrase when exporting the master key and the subkeys.

$ gpg --export --armor --output /path/to/drive/<FINGERPRINT>/public.asc <FINGERPRINT>
$ gpg --export-secret-keys --armor --output /path/to/drive/<FINGERPRINT>/private.asc <FINGERPRINT>
$ gpg --export-secret-subkeys --armor --output /path/to/drive/<FINGERPRINT>/subkeys.private.asc <FINGERPRINT>

Following the example from the previous sections with the fingerprint CF30FE521A3D8B7BDBC8BDB60D24A12216EC4F47 you should now have these files on your flash drive.

$ ls -1 /media/amnesia/USBDRIVE/CF30FE521A3D8B7BDBC8BDB60D24A12216EC4F47/
private.asc
public.asc
revocation-certificate.rev
subkeys.private.asc

You can now unmount the flash drive and keep it in a secure place. Since it contains the master key, you should only attach this flash drive in your secure environment.

Copy Public Key, Subkeys and Ownertrust

For now you have everything in your secure environment and on the USB flash drive that should not be attached to your regular system.

To be able to use the keys you've created so far, you have to copy the public key, the subkeys and a backup of the trustdb (ownertrust) to another flash drive.

If you like you can create a directory named after fingerprint on that flash drive too.

$ mkdir /path/to/drive/<FINGERPRINT>

Now export the public key, the subkeys and the backup of the trustdb. You will also be asked for the passphrase again.

$ gpg --export --armor --output /path/to/drive/<FINGERPRINT>/public.asc <FINGERPRINT>
$ gpg --export-secret-subkeys --armor --output /path/to/drive/<FINGERPRINT>/subkeys.private.asc <FINGERPRINT>
$ gpg --export-ownertrust > /path/to/drive/<FINGERPRINT>/otrust.txt

Technically the backup of the trustdb (ownertrust) is not scoped to the fingerprint. Since I erase this flash drive as soon as I've imported the keys on my regular system, I didn't care about the structure.

The flash drive should now contains these three files:

  • otrust.txt
  • public.asc
  • subkeys.private.asc

Now you can shut down the secure environment and boot your regular system again.