Revocation Cert ¶
Needed to revoke your key should the master signing/certifying key ever be compromised
gpg --output \<tyler@tylercipriani.com\>.gpg-revocation-certificate --gen-revoke tyler@tylercipriani.com
lpr \<tyler@tylercipriani.com\>.gpg-revocation-certificate
shred --remove \<tyler@tylercipriani.com\>.gpg-revocation-certificatestore printed revocation cert in file or safe-deposit box
Key backup ¶
Download paperkey and its gpg signature
wget -c http://www.jabberwocky.com/software/paperkey/paperkey-1.3.tar.gz
wget -c http://www.jabberwocky.com/software/paperkey/paperkey-1.3.tar.gz.sigGet David Shaw's public key (0x99242560) from your keyserver of choice
Verify you have downloaded the right paper key and that the level of trust is sufficient for your purposes
gpg --verify Downloads/paperkey-1.3.tar.gz.sig paperkey-1.3.tar.gz
gpg: Signature made Thu 03 Jan 2013 09:18:32 PM MST using RSA key ID FEA78A7AA1BC4FA4
gpg: Good signature from "David M. Shaw <dshaw@jabberwocky.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7D92 FD31 3AB6 F373 4CC5 9CA1 DB69 8D71 9924 2560
Subkey fingerprint: A154 3829 812C 9EA9 87F1 4526 FEA7 8A7A A1BC 4FA4If you have a good signature from davidExtract and install
tar xvzf paperkey-1.3.tar.gz
rm paperkey-1.3.tar.gz
cd paperkey-1.3
./configure
make
sudo make installPrint you secret key
Store it in your file or safe-deposit-box
Subkeys ¶
By default, GnuPG creates a key for signing and an encryption subkey:
| pub | rsa4096 | 2014-02-19 | [SC] | |
| 6237D8D3ECC1AE918729296FF6DAD285018FAC02 | ||||
| uid | [ultimate] | Tyler | Cipriani | <tyler@tylercipriani.com> |
| sub | rsa4096 | 2014-02-19 | [E] | |
You can add a new subkey with the command
And then you should see
| pub | rsa4096 | 2014-02-19 | [SC] | ||
| 6237D8D3ECC1AE918729296FF6DAD285018FAC02 | |||||
| uid | [ultimate] | Tyler | Cipriani | <tyler@tylercipriani.com> | |
| sub | rsa4096 | 2014-02-19 | [E] | ||
| sub | rsa4096 | 2016-09-02 | [S] | [expires: | 2018-09-02] |
You can then remove your certification master key (make sure you've gone through the key backup process before you do this!)
- Export all your secret subkeys
- Remove all your secret keys from your keyring
- Reimport only your subkeys
gpg --export-secret-subkeys tyler > subkeys
gpg --delete-secret-key tyler
gpg --import subkeys
shred --remove subkeysNow gpg --list-keys shows a # next to sec# next to my [SC] key. This indicates that the key is no longer accessible.