My setup contains subkeys. I will use the term "master key" for the main secret key in the following sections, since the subkeys are also private keys. Otherwise it might be confusing.
Everything that involves the master key, is done in a secure environment, which means that this system will never be connected to the Internet.
I use the following stuff to manage and use my PGP key:
- Three USB flash drives
- One for the secure environment
- One for transferring my public key, subkeys and ownertrust
- One for the master key and backup
- Nitrokey Start
The system I describe here comes with some limitations:
- Tasks that involve the master key cannot be done on the way
- You'll always need the secure environment to sign other keys
- Usage of ECC might not be supported everywhere
- Use RSA with a key length of 4096 bits if you need the compatibility
I use my key mostly for signing Git Commits, but I did also use a similar setup for email encryption as well in the past.
Please do not copy and repeat everything that is mentioned here. Be careful when it comes to the algorithm you want to use or which type of elliptic curve in case you decide to use ECC. Research everything that you do not know and make your own decisions. I've spent at least three evenings figuring out what I wanted to use. Below you can find some links to other articles, that might be helpful.