Skip to content
Dmitri edited this page Oct 4, 2023 · 34 revisions

Generate Frequency PGP Keys

🗒️ Please note all current Frequency PGP secure assets are stored in “Frequency” vault on 1Password.com and GitHub secrets.

1. Create PGP Master Key

Let's just generate a RSA 4096 master key that never expires, so we are able to sign and encrypt. While the master key will never expire, the keys we will actually use on a daily basis will expire.

# Generate master key
$ gpg --full-gen-key
---
Your selection? 1 (RSA and RSA)
What keysize do you want? (3072) 4096
Key does not expire at all
Key is valid for? (0)
Is this correct? (y/N) y
Real name: Frequency
Email address: security@frequency.xyz
Comment: Frequency Chain Identity
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
Password: <master password>
# Verify the key was added
$ gpg -K

Example output:

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/youruser/.gnupg/pubring.kbx
---------------------------------
sec   rsa4096 2022-11-04 [SC]
      BF9088A81DEAEB7353CF955028EDB96E6310F01B
uid           [ unknown] Frequency (Frequency Chain Identity) <security@frequency.xyz>
ssb   rsa4096 2022-11-04 [E] [expires: 2023-11-04]
ssb   rsa4096 2022-11-04 [S] [expires: 2023-11-04]

This means we have a secret master key of type RSA 4096 associated to the security@frequency.xyz identity. The master key can be used to sign and certify [SC]. The ID of the key is BF9088A81DEAEB7353CF955028EDB96E6310F01B. There is also 2 secret subkeys ssb, that can be used to encrypt data [E] and sign data [S].

# Send public key to keyserver
$ gpg --keyserver hkp://keys.gnupg.net --send-keys <keyId>

2. Configure Everyday-use Subkeys

Permanent usage of master (primary) keys requires extreme security measures, which makes the usage inconvenient. Subkeys allow to reduce the risks and at the same time to keep usage at convenient level. The risks are reduced A) by limited validity of the keys, and B) by possibility to revoke them at any time if you suspect they were compromised.

# Set expiration for subkey
$ gpg --edit-key <keyId>
---
gpg> key 1
gpg> expire
Key is valid for? (0) 1y
Is this correct? (y/N) y
# Add signing key
gpg> addkey
(4) RSA (sign only)
Your selection? 4
What keysize do you want? (3072) 4096
Key is valid for? (0) 1y
Is this correct? (y/N) y
Really create? (y/N) y
# Check and save changes
gpg> list
gpg> save

3. Remove secret Master Key from device

3.1 Create Revocation Certificate

$ gpg --output frequency.revocation-certificate.gpg.txt --gen-revoke security@frequency.xyz
---
Create a revocation certificate for this key? (y/N) y
Your decision? 0
>
Is this okay? (y/N) y

The revocation certificate will be stored in frequency.revocation-certificate.gpg.txt Store the file offline and delete it from the device.

3.2 Backup Master Key's Secret

$ gpg --export-secret-keys --output frequency.secret.gpg.txt --armor <keyId>
Store frequency.secret.gpg file in a safe, offline and easy-to-remember place and delete it from the device. 

3.3 Remove Master Key's secret from keyring. REMOVE THE MASTER KEY'S SECRET ONLY, LEAVING SUBKEYS ALONE.

gpg --delete-secret-key <keyId>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
Delete secret key: <Delete Key>
Delete secret subkey: <No>
gpg: deleting secret subkey failed: Operation cancelled
gpg: BF90*******************: delete key failed: Operation cancelled
# Verify the secret is no longer present
$ gpg -K
sec#  rsa4096 2022-11-04 [SC]
  BF90*******************

The # next to the Master Key's means that the secret part of that key is not present in the keyring anymore, therefore it is not usable.

3.4 Test the key backup

After the deleting the private part, the Master Key is not usable anymore to modifying or adding subkeys. To verify your backup, retrieve it from your secure offline storage and issue:

$ gpg --import frequency.secret.gpg.txt
$ gpg -K
sec   rsa4096 2022-11-04 [SC]
  BF90*******************

By listing the private keyring once again we can see that the # sign has disappeared, meaning the Master Key is once again usable.

4. Use GPG for Creating Detached Signature

gpg -u security@frequency.xyz --detach-sign --armor frequency 
gpg --verify frequency.asc

Rotate Frequency Signing PGP Key

If you followed all the above, your signing subkey will expire 1 year after creation. When the expiration date approaches you can either extend the current key or create a new subkey starting from the same Master Key. Please note that you will need to use the Master Key's private you safely stored offline to perform these actions. Since the renewed or new key originates from the same Master Key, the world will recognize the new signatures as belonging to the same Master Key's public part, therefore same identity.

  1. Import master key into your local keyring

    gpg --keyserver pgp.mit.edu --recv-key BF9088A81DEAEB7353CF955028EDB96E6310F01B
  2. Download master secret file frequency.secret.gpg.txt from Frequency Vault.

  3. Import master secret from Secret Manager tool:

    gpg --import ~/Downloads/frequency.secret.gpg.txt 
    ---
    (Enter "Frequency PGP Master Password" from Frequency Vault when prompted)
  4. Confirm the # suffix is gone from the master key sec label:

    gpg -K
    ---
    sec   rsa4096 2022-11-04 [SC]
    BF9088A81DEAEB7353CF955028EDB96E6310F01B
    uid           [ unknown] Frequency (Frequency Chain Identity) <security@frequency.xyz>
    ...
  5. Add new signing key that will expire in 1 year:

    gpg --quick-add-key BF9088A81DEAEB7353CF955028EDB96E6310F01B rsa4096 sign 1y
  6. Send updated key to keyserver:

    gpg --keyserver pgp.mit.edu --send-keys BF9088A81DEAEB7353CF955028EDB96E6310F01B
  7. Export subkeys secret:

    gpg --export-secret-subkeys --output /tmp/frequency.secret-subkeys.gpg.txt --armor BF9088A81DEAEB7353CF955028EDB96E6310F01B
  8. Update signing subkeys secret value in GitHub secret FREQUENCY_PGP_SECRET_SUBKEYS:

    cat /tmp/frequency.secret-subkeys.gpg.txt | pbcopy
  9. Upload new /tmp/frequency.secret-subkeys.gpg.txt to Frequency Vault.

  10. Delete Frequency secret key from local keyring:

    gpg --delete-secret-key BF9088A81DEAEB7353CF955028EDB96E6310F01B
    gpg --delete-key BF9088A81DEAEB7353CF955028EDB96E6310F01B
  11. Remove dowloaded secrets:

    rm ~/Downloads/frequency.secret.gpg.txt 
    rm /tmp/frequency.secret-subkeys.gpg.txt
  12. Verify the key and associated secret are gone from local keyring:

    gpg -k
    gpg -K
  13. Create new invitation in the company Calendar for @wilwade @demisx @sbendar with due date at least 2 weeks prior to expiration.