Import Keys

So far we've created the keys, created a backup and moved the subkeys, the public key and the ownertrust to another flash drive. Now it is time to import them on your system that you use for your daily stuff.

Luckily this is very easy.

Import Ownertrust

This step will make sure that your trustdb has the entries for your own key. Otherwise you would see [unknown] next to your key when listing them.

The command gpg --import-ownertrust reads from stdin and the output should look something like the following.

> gpg --import-ownertrust < /Volumes/USBDRIVE/<FINGERPRINT>/otrust.txt
gpg: inserting ownertrust of 6

Import Subkeys and Public Key

For importing keys, stdin is not used. You just have to provide the path to the file. Importing the subkeys also requires the passphrase again.

Subkeys

> gpg --import /Volumes/USBDRIVE/<FINGERPRINT>/subkeys.private.asc
gpg: key 0x0D24A12216EC4F47: "My Name <my.name@example.com>" not changed
gpg: To migrate 'secring.gpg', with each smartcard, run: gpg --card-status
gpg: key 0x0D24A12216EC4F47: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

Public Key

> gpg --import /Volumes/USBDRIVE/<FINGERPRINT>/public.asc
gpg: key 0x0D24A12216EC4F47: public key "My Name <my.name@example.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: next trustdb check due at 2021-09-03

Check Your Secret Keys

By listing all the secret keys, you can check what happend. The output should look similar to this.

> gpg --list-secret-keys
/Users/danieltrautmann/.gnupg/pubring.kbx
-----------------------------------------
sec#  ed25519/0x0D24A12216EC4F47 2020-01-21 [C] [expires: 2022-01-20]
      Key fingerprint = CF30 FE52 1A3D 8B7B DBC8  BDB6 0D24 A122 16EC 4F47
uid                   [ultimate] My Name <my.name@example.com>
ssb   ed25519/0x75F08B9921FBD174 2020-01-21 [S] [expires: 2022-01-20]
ssb   ed25519/0x2E09AC27FDCEA205 2020-01-21 [A] [expires: 2022-01-20]
ssb   cv25519/0x563B096829D1FB28 2020-01-21 [E] [expires: 2022-01-20]

Lets see what we have here line by line. Line one starts with sec#, which tells us two things. First it's a secret key, but the # indicates that this key is missing. This was our intention, because thats the master key.

Following that you will find the algorithm ed25519 and the key ID 0x0D24A12216EC4F47 separated by a /. Then you will see the date of creation, the capability of this key, which in this case is [C] and the expiration date.

On the second line you will see the fingerprint of this key again in a more readable way followed by your uid on the third line.

The last three line are your subkeys indicated by ssb. These lines look similar to the first line, but should have a different capability.

Here is a list of the capabilities and their short handle for better understanding:

  • [C] - Certification
  • [S] - Signing
  • [A] - Authentication
  • [E] - Encryption

The next chapter is optional and requires hardware such as the Nitrokey or a YubiKey. If you don't own such a device or don't want to use one, you can just start signing commits or encrypting emails.