Create the Perfect GPG Keypair

Based on a guide by Alex Cabal

Create Password Storage Key

Generate Passphrase

# 4 words, length 3-5
$ awk 'legnth >= 3 && length <= 5' <wordlist> | shuf -n4

Create Keypair

$ gpg --full-generate-key

• Type: RSA and DSA
• Keysize: As large as possible
• Expiration: Never expires
• Real Name: Password Storage Key
• Email: null@null.com

Export ASCII-armored Keypair

$ gpg --export-secret-keys --armor null@null.com > password-storage-private.asc
$ gpg --export             --armor null@null.com > password-storage-public.asc

Export Paperkey-encoded Private Key

$ sudo dnf install paperkey
$ gpg --export-secret-keys null@null.com | paperkey --output password-storage.paperkey

Create PGP Manager VM

• Create Alpine Linux VM

Configure

# Commands executed in container:
$ setup-alpine
    # Hostname? pgp-mgr
    # Ip address for eth0? <dhcp>
    # Root passwod? J$
    # Which disk(s) would you like to use? sda
    # How would you like to use it? sys
    # What timezone are you in? UTC
    # Which SSH server? none
$ apk update
$ apk upgrade
$ apk add gnupg
$ sed -i -e 's/^#\(.*testing\)/\1/' /etc/apk/repositores # enable testing repo
$ apk add paperkey

At this point disable the network connection from the VM manager and reboot

Create Standard Key

Generate Passphrase

 # 4 words, length 3-5
$ awk 'legnth >= 3 && length <= 5' <wordlist> | shuf -n4

Create Initial Keypair

$ gpg --full-generate-key

• Type: RSA and DSA
• Keysize: As large as possible
• Expiration: As needed (0 for password storage key)

Add a Photo

$ gpg --edit-key <key email>
gpg> addphoto

• Provide path to JPEG

Add a New Signing Subkey

gpg> addkey

• Type: RSA (sign only)
• Keysize: As large as possible
• Expiration: As needed

Save Changes

gpg> save

Create Revocation Certificate

$ gpg --output <key email>-gpg-revocation-certificate --gen-revoke <key email>

• Reason: Key has been compromised

Export Keypair

$ gpg --export-secret-keys --armor <key email> > <key email>-private.gpg-key
$ gpg --export             --armor <key email> > <key email>-public.gpg-key

Transform Master Keypair into Laptop Keypair

$ mkdir /tmp/gpg
$ sudo mount -t ramfs -o size=1M ramfs /tmp/gpg
$ sudo chown $(logname):$(logname)     /tmp/gpg
$ gpg --export-secret-subkeys <key email> > /tmp/gpg/subkeys
$ gpg --delete-secret-key     <key email>
$ gpg --import /tmp/gpg/subkeys
$ sudo umount /tmp/gpg
$ rmdir /tmp/gpg
$ gpg --list-secret-keys

• Initial line should begin with ‘sec#’

Distribute Public Key to Keyserver

$ gpg --send-keys <key ID> 

Revoke Laptop Keypair

• Boot Linux live USB

$ gpg --import /path/to/<key email>-public.gpg-key /path/to/<key email>-private.gpg-key
$ gpg --edit-key <key email>
gpg> key <n>
gpg> key <n>
gpg> revkey
gpg> save

Revoke Master Keypair

If Keypair is Compromised

$ gpg --import <key email>-gpg-revocation-certificate
$ gpg --keyserver <key server> --send-keys <key ID>

If Keypair is Lost

$ gpg --keyserver <key server> --recv <key ID>
$ gpg --import <key email>-gpg-revocation-certificate
$ gpg --keyserver <key server> --send-keys <key ID>

Save exported keys

$ mount -t vfat /dev/sdb1 /media/usb
$ cp ~/password* /media/usb
$ umount /media/usb

Restore ASCII-armored Keypair

$ gpg --import password-storage-private.asc

Restore Paperkey-encoded Keypair

Can I make this into a pipeline?

$ gpg --dearmor password-storage-public.asc
$ paperkey --pubring password-storage-public.asc.gpg --secrets password-storage.paperkey --output private.key
$ gpg --import private.key