GnuPG: Creating key pairs in 2o23

SoDa7 .MOD - RUSH

A TechHeart quickee . . .

General info; use good passwords, else be vulnerable to brute force attacks.
After COMPLETE, be sure to remove the MASTER_KEY_PAIR to some safe environment.

Generate GPG key

amnesia@amnesia:~/Persistent/gpg/temp$ gpg --full-generate-key

Set stronger prefs

gpg --edit-key johndoe@anon.com

Adding new signed sub-key

gpg --edit-key johndoe@anon.com

Create certificate to revoke master key is compromised

gpg --output \<johndoe@anon.com\>.gpg-revocation-certificate --gen-revoke johndoe@anon.com

Export private/public keys

Private

gpg --export-secret-keys --armor johndoe@anon.com > \<johndoe.anon.com\>.private.gpg-key

Public

gpg --export --armor johndoe@anon.com > \<johndoe.anon.com\>.public.gpg-key

Move these 3 files into a /MASTER_KEY_PAIR sub-directory; they are your PERMANENT Master Key Pair
Change MASTER_KEY_PAIR into daily use pair/laptop key pair
- We will remove our original signing sub-keys leaving only the new sub-key and the encryption sub-key. Therefore, if our daily-use key pair becomes compromised, we can obtain out master key pair set that we have stored away safely and revoke the sub-key that was part of our daily use/laptop key pair.

Export sub-keys

gpg --export-secret-subkeys johndoe@anon.com > subkeys

Delete secret key!

gpg --delete-secret-key johndoe@anon.com

Re-import the keys we exported

gpg --import subkeys

Remove the file we created…

shred --remove subkeys

Verify everything w0rked correctly

Verify the ‘sec#’ line… the # means that the sub-key is NOT in the key pair located in the keyring. (What we want for this daily use/laptop one.)

gpg -K

Change password on daily use key pair

Even if both daily use/laptop keypair AND password become compromised, the MASTER_KEY_PAIR and its password are still protected; you could issue the revocation cert and retain use of your MASTER_KEY_PAIR, and create a new daily/laptop after…

gpg --edit-key johndoe@anon.com passwd

Export public key, to a key server if wanted…

After exporting, you can upload mykey.asc/johndoe.asc to one of the many public GPG servers manually, using Kleopatra or even OpenGPG applet… 2E9A71C6DED99A7E69B06125E369307607158CDC.asc = johndoe.asc

gpg --armor --export johndoe@anon.com > johndoe.asc
cat johndoe.asc 

-----BEGIN PGP PUBLIC KEY BLOCK-----

 [snip]

-----END PGP PUBLIC KEY BLOCK-----

TechHeart.life