GPG keys are a vital part of verifying your online identity. As such, securing it from bad actors ensures that no one can impersonate you in your communications with other people. Here, we show you five simple tips on how to secure your GPG key in Linux.
Content
- 1. Create Subkeys for Each GPG Function
- 2. Set an Expiry Date for Your Keys
- 3. Save Your GPG Keys to a Security Key
- 4. Backup Your Main Private Key to Paper
- 5. Delete Your Main Private Key from the System
Tip: learn how you generate your own GPG key in Linux today.
1. Create Subkeys for Each GPG Function
One of the easiest ways to secure your GPG key in Linux is to create a separate subkey for each key function. Subkeys are additional pieces of cryptographic identity that are attached to your primary master key. This makes it harder for bad actors to fish your primary private key since you don’t use it for common key actions.
To do this, open the GPG key prompt for your primary key:
gpg --expert --edit-key YOUR-GPG@EMAIL.ADDRESS
Run change-usage to change the default capabilities of your primary key.
Type “S,” then press Enter to disable the signing capability of your primary key.
Run addkey to create for your primary key’s second subkey.
Select “8” on the key algorithm prompt, then press Enter.
Type “=S” on the prompt, then press Enter to set the capability of the subkey to “Sign-only.”
Note: you can change the value of “=S” to either “=E” or “=A” to set a subkey’s function to either Encrypt-only or Authenticate-only.
Provide “4096” on the keysize prompt, then press Enter to set the size of your RSA subkey to 4096 bits.
Set the reasonable validity period for your subkey. In my case, I will set my subkey to expire after 1 year.
Create your new subkey by typing “y,” then pressing Enter on the confirmation prompt.
Rerun the addkey command and create the other two subkeys for the Encryption and Authentication capabilities.
Confirm that your GPG key has a subkey for every capability by running the list subcommand.
On a side note: are you a Windows user as well? Learn how to setup and use GPG in Windows.
2. Set an Expiry Date for Your Keys
Another easy way to secure your GPG key in Linux is to give your primary key and subkeys an expiry date. While this doesn’t affect the key’s ability to sign, encrypt, and authenticate, setting one gives other GPG users a reason to always validate your key against a keyserver.
Start by opening your primary key inside the GPG CLI tool:
gpg --edit-key YOUR-GPG@EMAIL.ADDRESS
Type “expire,” then press Enter to edit the expiry date of your primary key. In my case, I will set mine to expire after 10 years.
Provide the password for your GPG key, then press Enter to commit the new expiry date.
Run the following commands to select your GPG key’s internal subkeys:
key 1 key 2 key 3
Run expire, then provide an expiry date for your subkeys. In most cases, these keys should expire sooner than your primary key. For me, I will set them to expire after eight months.
Type “save,” then press Enter to commit your changes to your GPG keyring.
Confirm that your key has the proper expiry dates by running: gpg --list-keys.
Good to know: learn how you can use GPG with a GUI with GNU Kleopatra.
3. Save Your GPG Keys to a Security Key
Security keys are small devices that are specifically designed to hold private authentication data. In this regard, you can also use them to store your GPG keys without compromising your overall security.
Start by plugging in your security key to your machine, then run the following command to check if GPG detects it:
gpg --card-status
Open the GPG prompt on your primary key, then run list to print all your details of your keyring:
gpg --edit-key YOUR-GPG@EMAIL.ADDRESS
Find the subkey with the usage value of “S” then run key followed by its order number in the subkey list. For instance, my “S” subkey is the first key on my list so I will run key 1.
Move your “S” subkey to your security key’s internal storage:
keytocard
Select “1” on the transfer prompt, provide the password for your primary GPG key, then run the key command again to unselect the first subkey.
Find the subkey with the usage value of “A” then run the key command followed by the subkey’s index number.
Transfer the “A” subkey to your security device using the keytocard command, select “3” on the transfer prompt, then rerun the key command unselect the “A” subkey.
Find the subkey with the usage value of “E,” then select it using the key command.
Transfer the “E” subkey to your security device using the keytocard command, then select “2” on the prompt.
Run save, then press Enter to commit your changes to your GPG keyring.
Lastly, confirm that you’ve properly exported the subkeys from your machine by running gpg --list-secret-keys YOUR-GPG@EMAIL.ADDRESS. Doing this should print a greater-than (>) symbol beside the “ssb” labels of your subkeys.
4. Backup Your Main Private Key to Paper
Aside from security keys, you can also secure your GPG key in Linux by exporting it in a printable text file. Paperkey is a simple command line utility that takes your private key and strips it to its core secret bytes. This is useful if you’re looking for a way to preserve your GPG key outside digital devices.
To start, install paperkey from your Linux distro’s package repository:
sudo apt install paperkey
Export the binary version of your primary private and public keys:
gpg --export-secret-key --output secret.gpg YOUR-GPG@EMAIL.ADDRESS gpg --export --output public.gpg YOUR-GPG@EMAIL.ADDRESS
Convert your binary private key to its core secret data:
paperkey --secret-key secret.gpg --output core-secret.txt
Confirm that you can reconstruct your primary private key from your paperkey backup:
paperkey --pubring public.gpg --secrets core-secret.asc --output secret.gpg
Open your core secret file using your favorite graphical text editor. In my case, I’m using the default text editor from GNOME.
Click the Options menu on the window’s upper right corner, then select the “Print” submenu entry.
Good to know: learn how to print files from the terminal with lp.
5. Delete Your Main Private Key from the System
When you generate a new GPG key, your computer stores a copy of the public and private keys inside your filesystem. While convenient, this can be a problem if you’re using either a networked or shared-access computer.
One way of solving this is by deleting the private key of your own GPG keyring. This will ensure that any malicious actor won’t be able to extract your private key from your computer to sign and certify any subkeys.
Start by backing up your original primary GPG private key and subkeys:
gpg --export-secret-key --armor --output private.asc YOUR-GPG@EMAIL.ADDRESS gpg --export-secret-subkeys --armor --output sub-private.asc YOUR-GPG@EMAIL.ADDRESS
Encrypt your primary private keyblock output using symmetric encryption:
gpg --symmetric private.asc
Provide a relatively strong password for your private key data, then press Enter.
Store your encrypted GPG private key to an external storage device.
Remove all private key data from your GPG keypair:
gpg --delete-secret-key YOUR-GPG@EMAIL.ADDRESS
Import the secret subkey block back to your GPG keypair:
gpg --import sub-private.asc
Run the following command to check if your primary private key still exists in your system:
gpg --list-secret-keys YOUR-GPG@EMAIL.ADDRESS
Doing this should show a pound (#) sign beside the “sec” label of the primary key. That indicates that your private key doesn’t exist on your GPG keyring anymore.
Learning how to secure your GPG key with these simple tips is just one part of exploring the vast ecosystem of public key cryptography. Dive deeper into this program by logging in to SSH servers using GPG.
Image credit: FlyD via Unsplash. All alterations and screenshots by Ramces Red.
Subscribe to our newsletter!
Our latest tutorials delivered straight to your inbox
Sign up for all newsletters.
By signing up, you agree to our Privacy Policy and European users agree to the data transfer policy. We will not share your data and you can unsubscribe at any time. Subscribe
Ramces Red –
Staff Writer
Ramces is a technology writer that lived with computers all his life. A prolific reader and a student of Anthropology, he is an eccentric character that writes articles about Linux and anything *nix.
Comments (2)