Offline GPG Primary Keys
On 10-Jun-2018 13:37:57:
A bunch of years ago I drank a little too much Kool-Aid and went full on paranoid with PGP keys. GPG keys are made up of primary keys and subkeys. One cool thing you can do is keep the primary key offline and generate new subkeys each year. Would I do this again? Probably not, its annoying. But it was interesting at the time and now I have to re-learn how to manage the key each year when generating new subkeys. This post is really just my own documentation.
- Edit your full key
gpg --homedir PATH_TO_FULL_KEY --edit-key KEY_ID
- Add new subkeys (one of each type, signing + encryption)
addkey
- Revoke the old keys
key N
revkey
- Copy the new public key over to your normal keyring
gpg --homedir PATH_TO_FULL_KEY --export --armor KEY_ID | gpg --import
- Delete the secret key from your normal PGP keyring (GPG cannot handle updating a secret key like it can with public keys)
gpg --delete-secret-key KEY_ID
- Copy the secret subkeys to your normal PGP keyring
gpg --homedir PATH_TO_FULL_KEY --export-secret-subkeys --armor KEY_ID | gpg --import
I haven't done it in a long time, but the procedure for generating a new key to manage this way should be very similar.
The main problem with this is to sign other PGP keys I need the primary key and an even sillier GPG command:
gpg --homedir PATH_TO_FULL_KEY --keyring ~/.gnupg/pubring.gpg --secret-keyring ~/.gnupg/secring.gpg --trustdb-name ~/.gnupg/trustdb.gpg
IIRC this was even more ridiculous when I first did it, but GPG has gained some options which make it easier