How to create a GPG master key and subkeys

A GPG key (technically a set of keys, one public and one or more private) can be used to secure your communications, prove your online identity, and secure the authenticity of code bases.

While there are some guides on GPG key creation, not many will include a step on subkey creation and why it is important. Using subkeys are a great way to ensure that a lost or stolen laptop doesn't invalidate your online reputation by having your GPG master key pair fall into the wrong hands.

In this guide, I show how to create a GPG master key pair, create subkeys, and backup your master key while leaving the subkeys on your local computer.

Once GnuPG is installed on your computer (check here if you need help with Mac installation), we are ready to create a GPG key.

Creating a GPG key pair

In your terminal, run the command:

gpg --full-generate-key

You are given the option to choose which type of key to generate. The recommended standard, and default in GnuPG, is "ECC," which stands for elliptic curve cryptography. The old default was RSA, but it has since fallen out of favour as it is a cryptographic method that is not quantum computer resistant.

Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card

I recommend creating a key that expires approximately a year from the creation date. You can always extend your expiry date in the future, and a short expiry prevents a situation where you lose your secret key and have an unrevoked GPG key floating around for years (or ever, if you choose not to expire).

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 

The program will ask you to set a password for your key. Once set, the generated key will be listed in the output before gpg closes.

pub   ed25519 2022-09-14 [SC] [expires: 2023-12-31]
      BF4801B69A3FD61C1454722495BB0086DDD86937
uid                      Mike Ross <[email protected]>
sub   cv25519 2022-09-14 [E] [expires: 2023-12-31]

You can confirm a second way that you created the key by running the command: gpg --list-secret-keys. You should see the same key in this output:

sec   ed25519 2022-09-14 [SC] [expires: 2023-12-31]
      BF4801B69A3FD61C1454722495BB0086DDD86937
uid           [ultimate] Mike Ross <[email protected]>
ssb   cv25519 2022-09-14 [E] [expires: 2023-12-31]

Congratulations, you have an active signing and encryption key on your machine! However, if you are truly into security, we are not quite done yet. Read on to learn more about creating sub keys to keep your digital identity secure.

GPG key permissions

For the attentive reader, you may have noticed that the master key is labelled as [SC] and the subkey is labelled as [E]. These labels indicate the permitted usage of the GPG key.

There are four permissions/uses of a GPG key:

  • E = encryption
  • S = signing
  • C = certification
  • A = authentication

Encryption and signing capabilities are the two that you are most likely to use in your every day life, and the names are pretty self-explanatory.

The certification permission allows you to create more (sub)keys with E, S, or A permissions. The permission exists on the master key, so subkeys can't create infinite number of subkeys themselves.

The authentication permission is not used in practice, but there are obscure implementations of SSH and other protocols that can use GPG keys for extra security.

Increasing security through subkeys

What you have right now is considered your "master key." GPG supports subkeys, which are additional key pairs associated with your master key.

For increased security, it is recommended that you use only subkeys on your regular laptop or desktop computer and store your master key on an offline device such as a portable hard drive.

If you lose your device, you can revoke the subkeys on your laptop, keep your master key alive, and generate new subkeys without losing the reputation you have built.

You only need to create one new subkey for signing since the original key creation step automatically created an encryption subkey.

Creating a GPG signing subkey

Run in the terminal the following command, replacing the key ID for your own:

gpg --edit-key BF4801B69A3FD61C1454722495BB0086DDD86937

At the gpg> prompt, type addkey and hit enter. You'll get a list of key types that you can create:

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
  (10) ECC (sign only)
  (12) ECC (encrypt only)
  (14) Existing key from card

Again create a key, but this time use option 10. You will also get a prompt to create a password for this key. You can make it the same as you previously used.

Once created, you will see that you have a second subkey:

sec  ed25519/95BB0086DDD86937
     created: 2022-09-14  expires: 2023-12-31  usage: SC  
     trust: ultimate      validity: ultimate
ssb  cv25519/9EEF033997A3AE4C
     created: 2022-09-14  expires: 2023-12-31  usage: E   
ssb  ed25519/14072A8493246577
     created: 2022-09-14  expires: 2023-12-31  usage: S   
[ultimate] (1). Mike Ross <[email protected]>

At the gpg> prompt, type save then hit enter. You should now see the new subkey when listing keys.

/Users/rossm/.gnupg/pubring.kbx
-------------------------------
sec   ed25519 2022-09-14 [SC] [expires: 2023-12-31]
      BF4801B69A3FD61C1454722495BB0086DDD86937
uid           [ultimate] Mike Ross <[email protected]>
ssb   cv25519 2022-09-14 [E] [expires: 2023-12-31]
ssb   ed25519 2022-09-14 [S] [expires: 2023-12-31]

Now, you should back up three files: your public key, your secret (master) key, and your secret subkeys. Adjust the output path/name and the key ID for your system.

gpg --output mike.public.gpg --export BF4801B69A3FD61C1454722495BB0086DDD86937
gpg --output mike.secret.gpg --export-secret-key BF4801B69A3FD61C1454722495BB0086DDD86937
gpg --output mike.secsub.gpg --export-secret-subkeys BF4801B69A3FD61C1454722495BB0086DDD86937

Copy the files to a secure, offline storage medium, such as a hard drive or USB memory stick. We want to save these as a backup but not have them on our local machine.

Now, remove the secret keys on our local GPG instance by running the following command.

gpg --delete-secret-keys <key-id>

Next, we want to re-import just the secret subkeys for use on our local machine. The subkeys will allow us to sign and encrypt on our local device, but we will not be able to generate new subkeys without re-importing the master key.

gpg --import mike.secsub.gpg

After re-importing the secret subkeys and running the list-keys command, you can see that the secret keys are back, but notice the sec# in the output. The # means only secret subkeys exist, not the master secret key.

/Users/rossm/.gnupg/pubring.kbx
-------------------------------
sec#  ed25519 2022-09-14 [SC] [expires: 2023-12-31]
      BF4801B69A3FD61C1454722495BB0086DDD86937
uid           [ultimate] Mike Ross <[email protected]>
ssb   cv25519 2022-09-14 [E] [expires: 2023-12-31]
ssb   ed25519 2022-09-14 [S] [expires: 2023-12-31]

As the last step, delete the three exported keys from your local machine. The only place they should reside now is on your offline backup hard drive.

Congratulations! You've successfully created your GPG key pair, backed up the master key to a safe storage location, and set up your local machine to use subkeys for encryption and signing.


If you are a developer and want to learn how to sign your Git commits with your GPG key for increased security, check out the guide here: https://mikeross.xyz/how-to-sign-git-commits-with-gpg-key/