• Verschlüsselte E-Mail Kommunikation;
• Signierung von E-Mail Nachrichten;
• Datei-Signierung (für security.txt)

Nach der Anleitung von hauptsächlich https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1/ sowie teilweiser Ergänzungen aus https://alexcabal.com/creating-the-perfect-gpg-keypair und https://www.kuketz-blog.de/gnupg-schluesselerstellung-und-smartcard-transfer-nitrokey-teil2/.

1. Schritt: Creating the master key

We will choose to generate our key in a custom way and create the certification key for Wilson. It will allow to certify other keys. It is very important, you must keep it safely. In the event of loss or theft, the person who holds the key would then be able to pretend to be the rightful owner.

Parameter: RSA, Certify, 4096, 3years, Gladiatorenmeister lanista@circus-maximus.de

2. Schritt: Creating subkeys

As we saw in the introduction on the subkeys, it is important to have one dedicated to each task Authenticate (A), Sign (S), Encrypt (E)

gpg2 –expert –edit-key 1A8132B1

Ich habe einen Unterschlüssel für S+E sowie einen für A angelegt. Parameter: RSA, …, 4096, 3 years

3. Schritt: Export the master key

The PGP key must not be used as it is. Remember, in the event of theft of the master key and the password, the robber can spoof the digital identity and sign messages instead of the real person. It is therefore essential to separate the master key from the subkeys. The master key, which allows to certify, will be stored in a cold storage space and totally disconnected from the network.

First, create a revocation certificate in the event of theft of the master key.

gpg2 –output 1A8132B1.rev –gen-revoke 1A8132B1

The revocation certificate is created in 1A8132B1.rev. It must be preserved in a safe place (we will see in part 3).

Let's also save all keys.

gpg2 –export –armor 1A8132B1 > 1A8132B1.pub.asc gpg2 –export-secret-keys –armor 1A8132B1 > 1A8132B1.priv.asc gpg2 –export-secret-subkeys –armor 1A8132B1 > 1A8132B1.sub_priv.asc

1A8132B1.pub.asc will contain all public keys and 1A8132B1.priv.asc the private keys of the master key. 1A8132B1.sub_priv.asc contains only the private keys of the subkeys.

As mentioned above, we will only use the subkeys for daily use.

Let's delete all private keys.

gpg2 –delete-secret-key 1A8132B1

Then, we import only the private keys of the subkeys.

gpg2 –import 1A8132B1.sub_priv.asc

Let's check that we have only the private keys of the subkeys:

Conclusion

Through this article, we have created a PGP key with a set of subkeys dedicated to a particular task. The advantage of using OpenPGP against a simple asymmetric key is the subkeys. If one of the keys is compromised, you only need to revoke it and regenerate a new one. It will not be necessary to revoke the master key, the one that holds our digital identity. This strategy offers a much higher level of security.

You can now sign your emails and get them encrypted, sign your commit git, use keybase.io and even authenticate yourself to a server in SSH.