-
Notifications
You must be signed in to change notification settings - Fork 20
PGP
Dmitri edited this page Nov 7, 2022
·
34 revisions
🗒️ Please note all current Frequency PGP secure assets are stored in “Frequency” vault on 1Password.com.
# Generate master key
$ gpg --full-gen-key
---
Your selection? 1 (RSA and RSA)
What keysize do you want? (3072) 4096
Key is valid for? (0)
Is this correct? (y/N) y
Real name: Frequency
Email address: security
Not a valid email address
Email address: [email protected]
Comment: Frequency Chain Identity
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
Password: <master password># Verify the key was added
$ gpg -K# Send public key to keyserver
$ gpg --keyserver hkp://keys.gnupg.net --send-keys <keyId># Set expiration for subkey
$ gpg --edit-key <keyId>
---
gpg> key 1
gpg> expire
Key is valid for? (0) 1y
Is this correct? (y/N) y# Add signing key
gpg> addkey
(4) RSA (sign only)
Your selection? 4
What keysize do you want? (3072) 4096
Key is valid for? (0) 1y
Is this correct? (y/N) y
Really create? (y/N) y# Check and save changes
gpg> list
gpg> save$ gpg --output frequency.revocation-certificate.gpg.txt --gen-revoke [email protected]
---
Create a revocation certificate for this key? (y/N) y
Your decision? 0
>
Is this okay? (y/N) yThe revocation certificate will be stored in frequency.revocation-certificate.gpg.txt Store the file offline and delete it from the device.
$ gpg --export-secret-keys --output frequency.secret.gpg.txt --armor <keyId>
Store frequency.secret.gpg file in a safe, offline and easy-to-remember place and delete it from the device. 3.3 Remove Master Key's secret from keyring. REMOVE THE MASTER KEY'S SECRET ONLY, LEAVING SUBKEYS ALONE.
gpg --delete-secret-key keyId
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
Delete secret key: <Delete Key>
Delete secret subkey: <No>
gpg: deleting secret subkey failed: Operation cancelled
gpg: BF90*******************: delete key failed: Operation cancelled
# Verify the secret is no longer present
$ gpg -K
sec# rsa4096 2022-11-04 [SC]
BF90*******************The # next to the Master Key's means that the secret part of that key is not present in the keyring anymore, therefore it is not usable.
After the deleting the private part, the Master Key is not usable anymore to modifying or adding subkeys. To verify your backup, retrieve it from your secure offline storage and issue:
$ gpg --import frequency.secret.gpg.txt
$ gpg -K
sec rsa4096 2022-11-04 [SC]
BF90*******************By listing the private keyring once again we can see that the # sign has disappeared, meaning the Master Key is once again usable.
gpg -u [email protected] --detach-sign --armor frequency
gpg --verify frequency.asc