[Durham] GPG with multiple devices

mark mark at aktivix.org
Thu Aug 21 22:14:21 UTC 2014

Hash: SHA256

Hi Olly

On 20/08/14 22:26, Oliver Burnett-Hall wrote:
> From my reading, subkeys appear to be one possible solution to
> this. If I understand this right, here's what I think I need to
> do:
> 1. Create a new master key, selecting the sign-only option. 2. Do
> stuff like add additional identities, tweak encryption settings, 
> and so on. 3. Create a single encrypt-only subkey. 4. Create
> multiple sign-only subkeys, on for each device. 5. Generate a
> revocation certificate for the master key. 6. Send a copy of the
> master public key to a keyserver.

So far so good, I think

> 7. Somehow (I'm not exactly sure how this step is done) export/copy
> to each device the single encryption subkey and the signing subkey
> for that device.

On the machine you've generated your subkeys on, find the ID of your
secret subkey:

> gpg --list-secret-keys

Then, export the subkey you want to move to (say) your phone as an
ascii-armoured file, using

> gpg --export-secret-subkeys YOURSUBKEYID!

Then, move the resulting file to the phone out-of-band, eg. by
mounting the storage directly to your workstation and writing it
accross. Do not, for obvious reasons, use anything like dropbox to
move it between devices

Then on your phone, import it:

> gpg --allow-secret-key-import --import subkey.asc

> 8. Move the master key to a USB drive and put in a room guarded by
> a three-headed dog.

Also, I'd suggest copying all the revocation certificates to all the
devices, so if one device gets compromised, you can revoke it from the

If you want to be really hardcore, you could also store your
revocation certs in other places, e.g. by steganography

> Once this has been done, it would be possible to start building a
> web of trust by having people sign my master key, and using my
> master key to sign theirs.
> If I were to lose my laptop I would have to revoke my encryption
> subkey and the device-specific signing subkey. I could then
> generate a new encryption subkey and copy it to all my devices. The
> advantage of this is that my master key would be unaffected.
> However, and what I'm not sure about, is how other people would
> know about the revocation. Is there any automatic checking for
> revoked certificates done by GPG/PGP? Or would I be relying on
> people manually re-fetching my certificates from keyservers?

Yes, people need to keep their public keyring synced in order to pick
up your revocation.

> Has anyone done something like this? Does it make any sense at
> all?

What do you think about setting up a cryptoparty? We could go through
this stuff together and sign each others keys if we set aside a few
hours. Maybe somewhere a bit quiter than the rowing club, with a
projector? Can anyone borrow a room like that at the Uni for an
afternoon or evening?

I'm definitely keen to get everyone encrypting everything - it's our
best weapon against the surveillance state.


Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/


More information about the Durham mailing list