Alex Balgavy

Just some stuff about me.

Here's my dotfiles repository.

Check out my blog.

My keys: PGP, SSH

My crypto wallets (BTC, XMR)

GPG stuff

Subkeys with stripped master key

The master key is the one used for certifying. It’s best to keep that off your main machine, and only keep subkeys for specific purposes on the machine.

  1. Go offline.
  2. Generate a key. gpg --full-gen-key, use RSA at 4096 bits. If needed, do gpg --expert --edit-key, adduid for other users/emails, then uid <number> and primary to set a primary user, and save.
  3. Find key ID with gpg --list-keys name, then gpg --expert --edit-key MASTER_ID. Type addkey, RSA sign only, at large bit size and relatively short expiry date, then repeat for authenticate, sign, encrypt if needed. save.
  4. Copy $HOME/.gnupg to wherever you’ll store the master key.
  5. Export subkeys: gpg --output secret-subkeys --export-secret-subkeys MASTER_ID.
  6. Remove master key: gpg --delete-secret-keys MASTER_ID
  7. Re-import subkeys: gpg --import secret-subkeys
  8. Shred and remove private subkeys file: shred secret-subkeys (and rm if shred doesn’t do it automatically).
  9. Do a gpg -K, it should show sec# instead of sec, meaning, that secret key is not there (good!).
  10. Change passphrase on subkeys with gpg --edit-key MATER_ID passwd
  11. Go back online and send your keys: gpg --keyserver keyring.debian.org --send-key MASTER_ID (repeat for keyserver pool.sks-keyservers.net and others if needed). Also, gpg --export -a MASTER_ID > gpg.pub to export public subkeys and upload/share where needed.

Extend expiration date for stripped keys

  1. Go offline.
  2. export GNUPGHOME=/path/to/stored/.gnupg (or use the --homedir flag with every GPG command).
  3. gpg -K to find key ID and check the expiration date, then gpg --edit-key MASTER_ID.
  4. Do key <n> to switch to a subkey, then expire and set the expiration date. Once done with all subkeys, do save.
  5. Export updated public keys with gpg -a --export MASTER_ID > /path/to/exported-key.txt (private keys don’t expire). You can verify with gpg /path/to/exported-key.txt.
  6. Go back online.
  7. gpg --import /path/to/exported-key.txt and verify with gpg -K (which should also still show a sec# on the master key).
  8. Submit the updated key with gpg --send-keys MASTER_ID to whichever keyservers you need. Also upload /path/to/exported-key.txt to wherever you need, and you can check it by curling into gpg.

Useful sources: viccuad.me on air-gapped GPG, Debian wiki on airgapped master keys, a post from Eleven Labs, Debian wiki on subkeys