Creating a Secured Key
When you build a PGP key you going to start using that key to verify your identity, so like all other forms of identification you have to protect it. Unfortunately to make PGP usable you cant permanently store you private keys locked in a safe, you actually need a copy of it one your computer, phone, table, laptop, basically any place where you want to send verified emails or decrypt messages you receive.
So what do you do if you phone or laptop are stolen? Even if you have secured your private-key with a strong password it is still at risk from someone with direct access to it.
Protection Using Subkeys
There isn’t allot of information on web about how to secure your key in this situation. I was able to find a few reference sites most notably the Debian Wiki about Subkeys.
When you create a OpenPGP key you are creating one key for signing and another for encryption. Its the signing key that is your master key and the one you need to protect. So after creating a new OpenPGP key you can create a new subkey just for signing.
This way the only things stored on your mobile device are your encryption key and your signing-subkey. If you lose control of your laptop, but still retain control of you master key, you can revoke the sub signing and encryption keys and create replacements.
If an attacker were able to break your password they would get access to anything encrypted before you revoked the key but nothing after that point. They could also only sign emails and files using the subkey you just revoked and any receiving PGP application would see that the key used to sign the message had been revoked and not validate the signature.
So how do we do it? (Step-By-Step)
Creating the Keypair
Use the `gpg --gen-key` command to create the new keypair
You will be prompted to enter a password, its a good idea to make this a secure one; hard to guess and one you want forget. Keep it safe. If you lose your password you could lose control over your key and will have to start again.
PGP uses hashes through the signing and encrypting process, I’ve better explained this on the “How is works” page. To strengthen your key you can set your preferred hashes. This is useful because as time moves on and computers become more powerful weaknesses are being discovered in previously thought secure hashes such as SHA-1.
Use the `gpg --edit-key` command and when prompted enter the command `setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed`, then `save`.
Subkey for Signing
OpenPGP subkeys work the same as normal (master) keys, expect they are mathematical related to the master key and they can be used for signing or encrypting. What makes them special here is they can be revoked and store independently of the master key.
Again use the `gpg --edit-key` command and type `addkey`. Select a sign only key, ether 3 or 4 depending on if you want to use DSA or RSA. After the new key is ready type `save`.
Since we are creating subkeys we do not have to worry about theft of a laptop or phone. In that case you could still use your master key to revoke only that subkey. What I describe bellow is when you lose your master key and must revoke everything.
If you ever lose your private key you will have no way of generating the revocation certificates needed to revoke your new key. So best practice is to generate those certificates now and store them in a safe place encase you need them later.
You can do this from the command line with the command:
`nxad@desktop:~$ gpg --output 1FA1E814.rev.asc --armor --gen-revoke 1FA1E814`
Export The Final Product
Now export your keypair. You can export both the private-key and public-key using these commands:
nxad@desktop:~$ gpg --export-secret-keys --armor 1FA1E814 > 1FA1E814.pri.ascnxad@desktop:~$ gpg --export --armor 1FA1E814 > 1FA1E814.pub.asc
You should protect these two files. Do not keep them on your laptop of mobile. The private file we exported contains your master key. Losing this could compromise your entire keypair.
Creating your Laptop Key
Now that your master key is ready you can create your laptop key. GPG does not make this easy, but with a little trickery you can make it work. These instructions assume you have created your master key on your laptop, if you have created your key on your desktop machine you can just skip the step two and not delete your secret key.
1. Start by exporting your subkeys `gpg --export-secret-subkeys 1FA1E814 > 1FA1E814.sub.gpg`
2. Next delete the master key from your key ring
gpg --delete-secret-key 1FA1E814
3. Now reimport the subkeys back into your keyring, or if you are not working from your laptop just import the subkeys there
gpg --import 1FA1E814.sub.gpg
Using your new key
You can now use your laptop keypair to sign, decrypt or encrypt emails and files. If you want to sign someone else’s key or revoke a subkey attached to your mast key you need to use the original master key.
Now that your key is ready for public consumption your can start sharing it. You can distribute your key anyway you like, but the simplest solution is to send it to a key server:
nxad@desktop:~$ gpg --send-keys 1FA1E814
There are hundreds of key servers online, but you don’t need to send your key to all of them. In most cases any key server you use will distribute your public key across all the others. This process is fully automatic but it can take a few days for your key to appear on them all.