Secure and easy to use GnuPG setup

2016-06-26

Using GnuPG requires balancing security against ease of use.

I want to:

keep my keys secure from theft and accidental loss
use GnuPG regularly throughout the day, e.g. for signing Git commits and encrypting/signing emails

These two goals go against each other. The first requires that the key is stored on the extra secure system and the passphrase is strong.

The second goal requires that the key is available on my regular machine and the passphrase is not very long and complicated, so it can be typed easily.

There are many ways to strike the right balance.

One of the ways is to use subkeys:

keep the primary keypair on your extra secure system
generate an additional signing subkey
export subkeys to your regular machine; for everyday activity use only them

If the subkeys are compromised or lost, they can be revoked from the secure machine and new ones can be generated.

This is how you do such setup from scratch:

on your secure system generate a new keypair, follow good pratices described in Gnu Privacy Handbook, use 4096 bit key
generate a revocation certificate
generate an additional signing subkey
export secret subkeys to a file: gpg --export-secret-subkeys --armor YOUR_KEY_ID >my-secret-subkeys.txt; this file also contains your public key
copy this file to your regular machine
and import it with gpg --import my-secret-subkeys.txt
change the passphrase to make these subkeys easier to use
optionally send you key to the key server: gpg --send-keys YOUR_KEY_ID

Now you can use GPG easily on your regular machine while the primary key is kept safely on your secure machine. Don’t forget to log in to your secure machine from time to time and check that you still remember the primary key passphrase.

Useful links:

Some bonus links about signing Git commits:

Later I might make another blog posts on signing Git commits and setting up the secure system.