blob: 11721f05a7d2f6af870eb118897b171151d1c092 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
How to GnuPG
============
WARN: You MUST only use those instructions if you know exactly what
you're doing! If you don't, you MUST NOT use those instructions!
## Prepare for a master key creation
- Choose a storage medium which will keep the master key and will be
kept VERY SAVE somewhere (also think for some redundancy). WARN: If
you choose a medium which probably could fail, you will be screwed up
in a later point in time!
- Choose how (or where?) to keep master passphrase.
## Initialize a new master key
export GNUPGHOME=/mnt/your/master/.gnupg
gpg --full-gen-key
## Add additional identities (as needed)
export GNUPGHOME=/mnt/your/master/.gnupg
gpg --edit-key foo@example.com
gpg> adduid
gpg> save
## Create keys for some daily-use devices
export GNUPGHOME=/mnt/your/master/.gnupg
gpg --edit-key foo@example.com
# Add an encryption and a sign key
gpg> addkey (then choose "encryp only")
gpg> addkey (then choose "sign only")
## Export subkeys for use on a daily-use device
# From now work with a temporary copy.
mkdir /mnt/your/tmp/.gnupg
(cd /mnt/your/master/.gnupg && tar c $(ls -A)) | (cd /mnt/your/tmp/.gnupg && tar x)
export GNUPGHOME=/mnt/your/tmp/.gnupg
# Print list of what we have
gpg --edit-key foo@example.com quit
# I suggest to use a different passphrase than the master key has.
# (HINT: just ignore error about missing private key. it works anyway)
gpg --edit-key foo@example.com passwd quit
# Choose one encrypt and one sign key and replace F00 and BA5
# below with them.
gpg --export-secret-subkeys F00! BA5! > keys-for-device
## Import prepared subkeys on daily-use device
gpg --import keys-for-device
gpg --edit-key foo@example.com
gpg> trust
gpg> save
## Sign a foreign key to express to the world that we trust it
gpgwin --sign-key foreignUser@example.com
## Use keys with throw-away keyring
GNUPGHOME="/tmp/foo/"
gpg ...
## Some other helpful places
- "https://insight.o-o.studio/article/setting-up-gpg.html#encryption-key"
- "https://davesteele.github.io/gpg/2014/09/20/anatomy-of-a-gpg-key/"
- "https://gpg.wtf/"
## Start/stop gpg-agent
gpgconf --kill gpg-agent
gpgconf --launch gpg-agent
|