· 10 years ago · Jun 29, 2015, 01:51 PM
1###guide for creating gpg-keys for encryption signing and authenticating without storing your primary-key-secret on PC
2###Follow step-for-step:
3
4
5(1) generate key:
6 On fresh offline computer (e.g. tails without internet connection or air-gapped computer):
7
8 gpg --expert --gen-key
9 select "(8) RSA (set your own capabilities)"
10 Toogle capabilities to "Current allowed actions: Certify"
11 Key Length = 4096
12 Expiration = 5y
13 add uid: Real name "John Doe" and primary Email address "john.doe@example.com"
14 enter passphrase: "secret"
15
16 gpg -k
17 List all keys from the public keyrings, or just the ones given on the command line.
18 gpg -K
19 List all keys from the secret keyrings, or just the ones given on the command line.
20
21 gpg --expert --edit-key john.doe@example.com
22 addkey
23 Enter passphrase "secret"
24 select "(8) RSA (set your own capabilities)"
25 Toogle capabilities to "Current allowed actions: Sign"
26 Key Length = 4096
27 Expiration = 3y
28
29 addkey
30 Enter passphrase "secret"
31 select "(8) RSA (set your own capabilities)"
32 Toogle capabilities to "Current allowed actions: Encypt"
33 Key Length = 4096
34 Expiration = 3y
35
36 addkey
37 Enter passphrase "secret"
38 select "(8) RSA (set your own capabilities)"
39 Toogle capabilities to "Current allowed actions: Authenticate"
40 Key Length = 4096
41 Expiration = 3y
42
43 adduid
44 add your other Mail adresses u want to use
45
46 #set primary uid by selecting primary id by number
47 l
48 list uids
49
50 2
51 "2" ist the uid with leading "(2)" (change to your needs)
52
53 primary
54 sets choosen uid (marked with "*") as primary
55
56 addphoto (optional)
57 adds jpeg to yout key
58
59 save
60 saves the keys to your keyring
61
62 quit
63
64
65(2) now back up the keys to e.g. encrypted usb-stick:
66
67 gpg -a --export-secret-key john.doe@example.com > secret_key
68 gpg -a --export john.doe@example.com > public_key.gpg
69
70
71(3) generate revocation certificate and store to e.g. usb-stick:
72
73 gpg -a --gen-revoke john.doe@example.com > revocation_cert.gpg
74
75 You can now store your secret_key in the most secure place you know. We will not need it for encryption signing or authenticating.
76
77(4) separate the primary key from the subkeys:
78
79 gpg -a --export-secret-subkeys john.doe@example.com > secret_subkeys.gpg
80 only exports the secret parts of the subkeys
81
82 gpg --delete-secret-keys john.doe@example.com
83 delete the secret parts of out keys (primary and sub)
84
85 gpg -k
86 shows public parts of our Keys
87
88 gpg -K
89 shows nothing now
90
91 gpg --import secret_subkeys.gpg
92 re-import secret subkeys
93
94
95 now we have all keys needed on our "normal" system
96
97 gpg -k
98 shows public parts of our Keys
99
100 gpg -K
101 shows secret keys (the "#" after sec shows that the primary key secret is not in keyring)
102
103(5) export needed keys to e.g. another usb-stick (encrypted):
104
105 gpg -a --export-secret-keys john.doe@example.com > pc_keys_secret.gpg
106 gpg -a --export john.doe@example.com > pc_keys_public.gpg
107
108
109(6) import needed keys from usb-stick onto PC:
110
111 on your PC do:
112
113 gpg --import pc_keys_public.gpg
114 gpg --import pc_keys_secret.gpg
115
116 or import them with enigmail:
117 ( Setup Wizard -> (ausführliche Konfiguration) -> choose Mail addresses you want to use -> import pc_keys_public.gpg and pc_keys_secret.gpg
118
119
120(7) for editing your keys:
121
122 import keys to fresh offline computer:
123 gpg --import secret_key
124 gpg --import public_key.gpg
125 gpg gpg --expert --edit-key john.doe@example.com
126 continue with (2)