Revocation Cert

Needed to revoke your key should the master signing/certifying key ever be compromised

gpg --output \<tyler@tylercipriani.com\>.gpg-revocation-certificate --gen-revoke tyler@tylercipriani.com
lpr \<tyler@tylercipriani.com\>.gpg-revocation-certificate
shred --remove \<tyler@tylercipriani.com\>.gpg-revocation-certificate

store printed revocation cert in file or safe-deposit box

Key backup

Paperkey

Download paperkey and its gpg signature

wget -c http://www.jabberwocky.com/software/paperkey/paperkey-1.3.tar.gz
wget -c http://www.jabberwocky.com/software/paperkey/paperkey-1.3.tar.gz.sig

Get David Shaw’s public key (0x99242560) from your keyserver of choice

gpg --search-keys 'dshaw@jabberwocky.com'

Verify you have downloaded the right paper key and that the level of trust is sufficient for your purposes

gpg --verify Downloads/paperkey-1.3.tar.gz.sig paperkey-1.3.tar.gz
gpg: Signature made Thu 03 Jan 2013 09:18:32 PM MST using RSA key ID FEA78A7AA1BC4FA4
gpg: Good signature from "David M. Shaw <dshaw@jabberwocky.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7D92 FD31 3AB6 F373 4CC5  9CA1 DB69 8D71 9924 2560
     Subkey fingerprint: A154 3829 812C 9EA9 87F1  4526 FEA7 8A7A A1BC 4FA4

If you have a good signature from davidExtract and install

tar xvzf paperkey-1.3.tar.gz
rm paperkey-1.3.tar.gz
cd paperkey-1.3
./configure
make
sudo make install

Print you secret key

gpg --export-secret-key tyler@tylercipriani.com | paperkey | lpr

Store it in your file or safe-deposit-box

Subkeys

Good Resource

By default, GnuPG creates a key for signing and an encryption subkey:

gpg --list-keys tyler
pub rsa4096 2014-02-19 [SC]
6237D8D3ECC1AE918729296FF6DAD285018FAC02
uid [ultimate] Tyler Cipriani <tyler@tylercipriani.com>
sub rsa4096 2014-02-19 [E]

You can add a new subkey with the command

gpg --edit-key tyler
gpg> addkey

And then you should see

gpg --list-keys tyler
pub rsa4096 2014-02-19 [SC]
6237D8D3ECC1AE918729296FF6DAD285018FAC02
uid [ultimate] Tyler Cipriani <tyler@tylercipriani.com>
sub rsa4096 2014-02-19 [E]
sub rsa4096 2016-09-02 [S] [expires: 2018-09-02]

You can then remove your certification master key (make sure you’ve gone through the key backup process before you do this!)

  1. Export all your secret subkeys
  2. Remove all your secret keys from your keyring
  3. Reimport only your subkeys
gpg --export-secret-subkeys tyler > subkeys
gpg --delete-secret-key tyler
gpg --import subkeys
shred --remove subkeys

Now gpg --list-keys shows a # next to sec# next to my [SC] key. This indicates that the key is no longer accessible.