Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve documentation for gpg subkey creation #102

Merged
merged 6 commits into from
Feb 25, 2021
Merged

Improve documentation for gpg subkey creation #102

Changes from 5 commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
e839510
Add `gpg --list-keys` tip for finding existing GPG keys to `README.md`
glensc Jan 24, 2021
f6878aa
Write out clearly what is the current gpg key recommendation
glensc Jan 24, 2021
7923cd6
Add a note about key expiry setup
glensc Jan 24, 2021
1a37248
Use relative path for gpg ephemeral homedir for security
glensc Jan 24, 2021
4ad8fa2
Add note about password remove giving error
glensc Jan 24, 2021
ebe3af4
Remove any type and bits recommendation
glensc Jan 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 14 additions & 10 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,13 +40,16 @@ in the GitHub Docs.

#### Using a subkey from an existing GPG key

First open your master key for editing:
First open your master key for editing (use `--list-keys` to find it):

```bash
gpg --edit-key "<YOUR MASTER KEY ID>"
```

Type `addkey` and select signing or s for capabilities. RSA key type is recommended for greatest compatibility.
A signing key type RSA with 3072 bits is recommended for greatest compatibility.
glensc marked this conversation as resolved.
Show resolved Hide resolved

Type `addkey` and select a type that is for signing, you might be asked about bit size depending on your choice.
When deciding over key expire, avoid setting to never expire, as recommendation of key bits will change over time.
Type `save` to persist the new subkey to your master key. Make a note of the Key ID as you will need it in the next step.

Next export the new sub key:
Expand All @@ -65,41 +68,42 @@ You can skip this if your master key is not password protected.
To remove the password from the subkey, create an ephemeral gpg home directory:

```bash
mkdir /tmp/gpg
install -d -m 700 gpg-tmp
```

Ensure that it works with gpg:

```bash
gpg --homedir /tmp/gpg --list-keys
gpg --homedir gpg-tmp --list-keys
```

You can ignore the warning about unsafe directory permissions.

Import your subkey:

```bash
gpg --homedir /tmp/gpg --import private.key
gpg --homedir gpg-tmp --import private.key
```

Enter edit mode:

```bash
gpg --homedir /tmp/gpg --edit-key <SubKey ID>
gpg --homedir gpg-tmp --edit-key <SubKey ID>
```

Type `passwd`, entering your current password and then set the password to "" to remove it.

The command may give error `error changing passphrase: No secret key` when setting empty password.
You should ignore it as the password was really removed.

Type `save` to exit edit mode and re-export your subkey:

```bash
gpg --homedir /tmp/gpg --output private.key --armor --export-secret-subkeys "<SubKey ID>!"
gpg --homedir gpg-tmp --output private.key --armor --export-secret-subkeys "<SubKey ID>!"
```

Finally, remove the ephemeral directory:

```bash
rm --rf /tmp/gpg
rm --rf gpg-tmp
```

You will now need to export your master public key with the new subkey public key to the file `public.key`:
Expand Down