How To Make PGP Subkeys With GPG

Tue, 11 Apr 2023 09:58:20 -0500

In a previous post, I talked about how to make a simple GPG key pair to encrypt your files. However, while the simple set up is easy, there is a major security risk with having your private key just sitting on your laptop. From now on we will call this your master key, and as that name implies, you can do just about anything with your master key. You can edit your keys, change expiration dates, issue new keys, and many other things which are nice for you but would be disastrous if it fell in the hands of someone else!

We can remedy this security hole by creating subkeys. Subkeys are basically private keys with restrictions. They are allowed to perform specific tasks (like decrypt messages), but they are barred from more administrative level activities. The fact is, if you have a GPG key pair, you should be using subkeys. Here's how you can do that.

I've written this post based on Mike Ross's article on the subject. I have the original referenced below. It's a nice guide, but I wanted my write my own article for my own education.

Generate a subkey

This tutorial assumes that you already have a key pair. If you don't be sure to read this article. First, in order to see your keys, run the following command. You should get something like this output:

$ gpg --list-secret-keys
sec rsa4096 yyyy-mm-dd [SC] [expires: yyyy-mm-dd]
 <KEY-ID>
uid [ultimate] <John Doe> <john@email.tdl>
ssb rsa4069 yyyy-mm-dd [E] [expires: yyyy-mm-dd]

You will notice that after the key creation date, there is are some letters in square brackets. This tells you what the key is allowed to do.

• [E] encryption
• [S] signing
• [C] certification
• [A] authentication

You will notice that in the output there already is a subkey for encryption. Also, the master key, has [SC] next to it. This means that it is allowed to sign and certify. Certification is what allows the key to issue new subkeys which is what we want to restrict.

In this simple example, we want to create a subkey that allows signing or [S]. The first thing we need to do is create the subkey. Begin by entering the following command.

$ gpg --edit-key <KEY-ID>

You will be met with a gpg prompt. Enter the following command.

gpg> addkey

This will prompt you with a similar menu.

Please select what kind of key you want:
	(1) RSA (sign only)
	(2) DSA (sign only)
	(3) RSA (encrypt only)

In this example, we will select (1) or RSA sign only. After hitting enter, it will show you a new key prefixed with ssb. Next we need to save our changes.

gpg> save

That's it. Now you have a subkey for signing, but we're not done yet. Now we have to backup and remove the master key from your computer.

Back up and remove the master key

This step is important, and you need to be careful! If you accidentally delete your master key without backing it up, you're gonna have a bad day. We can export our key as follows.

gpg --output public_backup.gpg --export <KEY-ID>
gpg --output private_backup.gpg --export-secret-key <KEY-ID>
gpg --output subkeys_backup.gpg --export-secret-subkeys <KEY-ID>

Then, take the backup files, and move them somewhere safe. I generally like to have three offline backups. A good tech rule of thumb to follow is: If a file doesn't exist in three places, it doesn't exist at all. Whether you put them on secure USB, external hard drive, or other offline storage device, you should be fine. For the love of God, do not upload your private key to Google Drive or some other cloud storage.

I don't want to spend too much time on this side tangent, Whether it's an SSH key, GPG key, or other private key, it is never a good idea to store them online. The reason for this is twofold:

1. It is now a target for hackers. If any online account is hacked, your keys are out there.
2. You should not trust Google, Microsoft, Dropbox, or any other cloud storage company with your data--especially if it's a proprietary system. There is not guarantee that they are not looking at your files.

If you want extra security, I would recommend putting them on an encrypted drive. Generally, I use a simple LUKS encrypted flash drive or some other device.

After you have made sure you have backed up your master key and subkeys, we will delete the master key.

gpg --delete-secret-keys <KEY-ID>

This will give you a bunch of menu's to ensure that you're really sure you want to delete your key. Select yes to all of them.

Finally, we will reimport the subkeys. We will use the backup up we just made. Execute the following command.

gpg --import subkeys_backup.gpg

If you enter gpg --list-secret-keys again you will notice that sec# has a hashtag next to it. That means that the master key exists, but it's not imported on this device.

After this you are now able to encrypt and decrypt without worrying about your master key being at risk. Additionally, you can import your subkeys to other devices with ease. Have fun encrypting!

References

1. How to create a GPG master key and subkeys
2. man gpg