keyservers
many keyservers are unresponsive or not accepting new keys. sks-keyservers.net/pool.sks-keyservers.net doesn't work.
pgp.mit.edu sometimes works, though it takes forever. keys.openpgp.org seems to be working for now.
I think public keyservers are a thing of the past; you just have to exchange keys with known people. :-(
multiple keys
The internets (see links 1-3) recommend using a master key with multiple subkeys, and stripping out the master to just include subkeys for remote devices
(laptops, smartphones, etc)
LINK 1) http://www.connexer.com/articles/openpgp-subkeys => The connexer link is very detailed
LINK 2) https://superuser.com/questions/466396/how-to-manage-gpg-keys-across-multiple-systems => gpg question, which points to LINK 3
LINK 3) https://wiki.debian.org/Subkeys?action=show&redirect=subkeys => Debian's description of subkeys.
Unfortunately, those 3 assume you've already created the subkeys.
LINK 4) http://lists.gnupg.org/pipermail/gnupg-users/2011-September/042858.html => shows how to create the subkey
LINK 5) http://keyring.debian.org/creating-key.html => the Debian link for creating the master key. If you do it this way, apparently,
LINK 6) http://www.macfreek.nl/memory/Convert_GPG_keys_to_subkeys => I had been looking for this for use at home
Looks like I'm primarily using Debian's instructions. I even followed the suggestion for gpg.conf edits from creating-key, though I don't know if it really did anything.
1) {LINK 5} create 4096b key from command line (gpg --gen-key), with "RSA and RSA (default)", which creates RSA for Sign/Cert, and a separate subkey for encrypt
2) {LINK 5} add additional user id's (e-mail addresses) as needed, and set primary uid
* Per LINK 6, you can actually make Name=NAME, EMAIL=EMPTY, COMMENT=DOB or other personally-identifying info -- though not anything that ends up in bank security questions
3) {LINK 3} create N signing-only RSA/4096 keys, with or without expiration
4) Assuming your master = MMMMMMMM, and subkeys are encrypt=EEEEEEEE, sign1=AAAAAAAA, sign2=BBBBBBBB, sign3=CCCCCCCC
* export public keys all together: gpg --export MMMMMMMM
* export "subkey" for master MMMMMMMM as backup
* export subkeys in pairs: encrypt+sign#: gpg --export-secret-subkeys EEEEEEEE! AAAAAAAA! > subkeys.a.gpg
* delete the master secret-key
* import back public keys and one pair of secret keys
* gpg --list-keys will show all the keys (because it's listing the public keys)
* gpg --list-secret-keys will show just the EEEEEEEE and AAAAAAAA subkeys, and the master will be marked as sec#, to indicate the secret portion is missing for the master
* if you ever want to make this secring have all the secret subkeys again, delete the master secret key, and re-import all the secret subkeys at once (or find your master backup of the secring.gpg)
add identities
Kleopatra: "Add email address" -- but this _requires_ an address, which I don't necessarily want.
This also makes the new UID the "primary". To change primary:
gpg --edit-key FINGERPRINT
> 2 (or whatever number)
> primary
> save
gpg --edit-key FINGERPRINT
> adduid
> Real name: ____
> Email address: ____
> Comment: ___ or empty
The nice thing about the gpg app version is that it _doesn't_ change the primary uid
alternate keyring
https://superuser.com/questions/399938/how-to-create-additional-gpg-keyring
To use:
gpg --no-default-keyring --keyring trustedkeys.gpg
originally, that's what I was going to do. However, since I think the Module::Signature will
use whatever gpg is in the path, with its own options, that won't work
change expiration
gpg --edit-key KEYNAME
> list
> key 0 (for primary/secret)
> expire
> (set appropriate duration)
revoke
How To Revoke a GPG key
- gpg --output revoke.asc --gen-revoke key-ID : creates the revocation cert
- gpg --import revoke.asc : imports the revocation cert, thereby revoking the key
page
look-and-feel inspired by lifehacker.me