docs
  • README
  • John's Notes and Documentation
    • Linux
      • Distributions
        • Arch Linux
          • Common Applications
          • Setting up pacaur with the Arch User Repository
          • Bluetooth
          • Hibernate
          • Graphical Configuration
          • libvirt
          • Post Install Tasks
            • Time
            • Reflector
            • SMTP
            • ZFS Configuration
            • smart
            • nfs
            • Package Management
              • aurutils
            • Programming Languages
              • nodejs
              • ruby
            • Restore Installed Applications
            • User Configuration Management
            • User Namespaces
            • Gaming with Wine
            • ZFS Dataset Structure
            • Raspberry PI Secure VPN Torrentbox
        • NixOS
          • Remotely Accessing Install Media
          • root on ZFS Install
      • systemd
        • Network Bonding
      • Tuning
        • CPU Tuning
        • Limits
        • Sysctls
        • Network Reliability With iwlwifi
        • Surface Pro 4 Power Tuning
        • ZFS Arc Max on Linux
      • TrueNAS
        • Setup
  • BSD
    • FreeBSD
      • iocage
      • Poudriere in a bhyve VM
    • FreeNAS
      • Copy SSH Keys off FreeNAS
      • FreeNAS Service jails
      • iocage Service jails
        • Couchpotato jail
        • Deluge jail
        • Emby jail
        • Poudriere WebUI jail
        • Podcatcher jail
        • Sabnzbd jail
        • Sickrage jail
        • Syncthing jail
        • Duplicity jail
        • Lets Encrypt jail
      • Wrong Version jail
    • pfSense
      • Sending Specific Traffic Through OpenVPN
  • Desktop and Userspace
    • Gaming
      • Grim Dawn
      • Path of Exile
    • Internet
      • Re-authenticate IRC Nickname
      • Lightdm VNC Connection with Password
    • Media
      • Convert Audio to Video
      • Convert Text to Speech
  • System Administration
    • Security
      • GPG Subkeys
    • Shell Scripting
      • dd
      • find
      • rsync
      • vim
    • ZFS
      • Mirrors
  • Certifications
    • CKA
      • Core-Concepts
      • Scheduling
      • Logging
      • Application Lifecycle Management
      • Cluster Maintenance
      • Security
      • Storage
      • Networking
      • Install Kubernetes with kubeadm
      • JSON PATH
Powered by GitBook
On this page
  • Exporting the Subkey(s)
  • Importing The Subkey(s)
  1. System Administration
  2. Security

GPG Subkeys

List keys to get your key:

gpg --list-keys

Edit key:

gpg --edit-key <KEY ID>

At prompt, add a new subkey, select signing or encrypting, keysize, and expiry:

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Wed 04 Sep 2019 10:51:34 PM PDT
Is this correct? (y/N) y
Really create? (y/N) y

Repeat for encrypting key if you need one.

Exporting the Subkey(s)

Get your new subkey's ID you want to export.

gpg --list-keys --with-subkey-fingerprint <KEY ID>

Export the subkey, keeping the !, can list multiple keys:

gpg -a --export-secret-subkeys <subkey id>! [ <subkey id2>!] > temp_directory/subkey.gpg

To change the passphrase, import the key into a temporary folder.

mkdir temp_directory/gpg
gpg --homedir temp_directory/gpg --import temp_directory/subkey.gpg

Edit the key, and change the passphrase.

gpg --homedir temp_directory/gpg --edit-key <user-id>
> passwd
> save

Note: You will get a warning "error changing passphrase", but it can be ignored.

Now export again as the new, altered subkey.

gpg --homedir temp_directory/gpg -a --export-secret-subkeys [subkey id]! > temp_directory/subkey.altpass.gpg

Importing The Subkey(s)

Now, on a new system, the subkeys can be imported:

gpg --import subkey.altpass.gpg

Checking gpg --list-secret-keys will show a # after sec, meaning the master key isn't present:

On new, subkey only system:

/home/john/.gnupg/pubring.kbx
-----------------------------

sec#  rsa4096 2017-05-17 [SC]
      <KEY ID>
uid           [ unknown] John Ramsden (<comment>) <email>
uid           [ unknown] John Ramsden (<comment>) <email>
ssb   rsa4096 2017-09-05 [S] [expires: 2019-09-05]
ssb   rsa4096 2017-09-05 [E] [expires: 2019-09-05]

References:

PreviousSecurityNextShell Scripting

Last updated 4 months ago

Arch Wiki - GnuPG
Debian - Subkeys
void.gr