OpenPGP: How do I create a OpenPGP Key?

Creating a Secured Key

When you build a PGP key you going to start using that key to verify your identity, so like all other forms of identification you have to protect it. Unfortunately to make PGP usable you cant permanently store you private keys locked in a safe, you actually need a copy of it one your computer, phone, table, laptop, basically any place where you want to send verified emails or decrypt messages you receive.

So what do you do if you phone or laptop are stolen? Even if you have secured your private-key with a strong password it is still at risk from someone with direct access to it.

Protection Using Subkeys

There isn’t allot of information on web about how to secure your key in this situation. I was able to find a few reference sites most notably the Debian Wiki about Subkeys.

When you create a OpenPGP key you are creating one key for signing and another for encryption. Its the signing key that is your master key and the one you need to protect. So after creating a new OpenPGP key you can create a new subkey just for signing.

This way the only things stored on your mobile device are your encryption key and your signing-subkey. If you lose control of your laptop, but still retain control of you master key, you can revoke the sub signing and encryption keys and create replacements.

If an attacker were able to break your password they would get access to anything encrypted before you revoked the key but nothing after that point. They could also only sign emails and files using the subkey you just revoked and any receiving PGP application would see that the key used to sign the message had been revoked and not validate the signature.

So how do we do it?


Creating the Keypair

Use the gpg --gen-key command to create the new keypair

You will be prompted to enter a password, its a good idea to make this a secure one; hard to guess and one you want forget. Keep it safe. If you lose your password you could lose control over your key and will have to start again.

Preferred Hash

PGP uses hashes through the signing and encrypting process, I’ve better explained this on the “How is works” page. To strengthen your key you can set your preferred hashes. This is useful because as time moves on and computers become more powerful weaknesses are being discovered in previously thought secure hashes such as SHA-1.

Use the gpg --edit-key command and when prompted enter the commandsetpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed, then save.

Subkey for Signing

OpenPGP subkeys work the same as normal (master) keys, expect they are mathematical related to the master key and they can be used for signing or encrypting. What makes them special here is they can be revoked and store independently of the master key.

Again use the gpg --edit-key command and type addkey. Select a sign only key, ether 3 or 4 depending on if you want to use DSA or RSA. After the new key is ready type save.

Revocation Certificate

Since we are creating subkeys we do not have to worry about theft of a laptop or phone. In that case you could still use your master key to revoke only that subkey. What I describe bellow is when you lose your master key and must revoke everything.

If you ever lose your private key you will have no way of generating the revocation certificates needed to revoke your new key. So best practice is to generate those certificates now and store them in a safe place encase you need them later.

You can do this from the command line with the command:

However I has also worked on a bash script that can automate the process of creating these certificates. More information on this is available from the project page.

Export The Final Product

Now export your keypair. You can export both the private-key and public-key using these commands:

You should protect these two files. Do not keep them on your laptop of mobile. The private file we exported contains your master key. Losing this could compromise your entire keypair.

Creating your Laptop Key

Now that your master key is ready you can create your laptop key. GPG does not make this easy, but with a little trickery you can make it work. These instructions assume you have created your master key on your laptop, if you have created your key on your desktop machine you can just skip the step two and not delete your secret key.

  1. Start by exporting your subkeys gpg --export-secret-subkeys 1FA1E814 > 1FA1E814.sub.gpg
  2. Next delete the master key from your key ring gpg --delete-secret-key 1FA1E814
  3. Now reimport the subkeys back into your keyring, or if you are not working from your laptop just import the subkeys theregpg --import 1FA1E814.sub.gpg.

Using your new key

You can now use your laptop keypair to sign, decrypt or encrypt emails and files. If you want to sign someone else’s key or revoke a subkey attached to your mast key you need to use the original master key.

Now that your key is ready for public consumption your can start sharing it. You can distribute your key anyway you like, but the simplest solution is to send it to a key server:

There are hundreds of key servers online, but you don’t need to send your key to all of them. In most cases any key server you use will distribute your public key across all the others. This process is fully automatic but it can take a few days for your key to appear on them all.

Stuart McCulloch Anderson

For over a decade and a half Stuart has been in love with all things science fiction or technology and for almost fourteen of those years his operating system of choice has been one breed of Linux or another and despite some brief trips back into the world of Windows Stuart has never found him self wanting anything else.

You may also like...

2 Responses

  1. Richard Gomes says:

    Hello Stuart,

    First of all: Thanks a lot for the great article.

    I have a question which arose due to the negative voice narrative you employed whilst explaining the commands involved on subkeys. You said “not in a laptop” in a context involving desktop and laptop, which confused me.

    So, on item 3 of your instructions on subkeys, I’ve interpreted like this:

    3.a. If you are on a desktop: there’s nothing to be done.
    3.b. If you are on a laptop: copy the generated subkey into your laptop and then import the copied subkey into your keyring, like this:

    laptop:$ rcp me@desktop:.gnupg/1FA1E814.sub.gpg $HOME/.gnupg
    laptop:$ gpg –import $HOME/.gnupg/1FA1E814.sub.gpg

    Would that be correct?

    • Good evening Richard, thanks for your comment.

      The end goal of creating a subkey for your laptop is to make sure your master is not stored on the laptop – so if for whatever reason, loss of theft, you use access to your laptop the master key is not compromised at the same time. Instead only the subkey is lost and can be revoked independently of the master key.

      What we’re trying to achieve in the ‘Creating your Laptop Key’ section
      1. Export only the subkeys from 1FA1E814 into a separate file
      2. Delete the master key from 1FA1E814, since GPG only allows you to delete the full key we have to do that instead. This is only required if you create the key on the laptop you want to have the subkey as I am making the assumption you ‘trust’ your desktop and want to keep your master key on it
      3. Reimport the exported subkey (from step 1) into your keystore.

      Please note key ID 1FA1E814 is only an example, your key ID will be different

      Which is a long explanation and boils down to, yes. Your interpretation, and the commands you posted, is correct.

      Sorry for the confusion, I hope I’ve made it a little more clear?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: