![]() Go to your Keybase profile, click on edit next to your public key fingerprint and choose “Host an encrypted copy of my private key”, paste in the key and enter your Keybase password to encrypt the key for storage. Pipe the output to pbcopy on macOS to copy it to the clipboard: gpg -armor -export-secret-subkeys FINGERPRINTOFSUBKEY! | pbcopy Note the exclamation mark ! at the end of the fingerprint - it is required to export the private key of just the particular subkey. The fingerprint of the new subkey is A58B88D1220599B82097CBA30C8C9DD50841A889 so I use the following command to export the private key of the new subkey: gpg -armor -export-secret-subkeys FINGERPRINTOFSUBKEY! Note that all subkeys stored on Yubikey have the > character after their ssb (secret subkey) identifier and the new one doesn’t have that. The master key is listed at the top with all the subkeys below it. Find the fingerprint of the new subkey: $ gpg -list-secret-keys -with-subkey-fingerprints You can now export the private part of your new subkey. All of my private keys before creating this new subkey were stored on Yubikey so I had to use their CLI tool. It is impossible to upload the updated public key using their web UI unless you have another private key associated with the account. Now send the updated public key to your preferred PGP key server: $ gpg -send-keys FINGERPRINTOFYOURMASTERKEYĪnd to Keybase using their command-line tool: $ keybase pgp update Save the changes to your combined public key after creating the subkey by entering save. Most PGP software will pick the subkey by its creation time and then by the expiration time. Use gpg -edit-card to view the fingerprint of your master key with Yubikey plugged in.Ĭhoose (8) RSA (set your own capabilities) and choose (S) Toggle the sign capability and (E) Toggle the encrypt capability, and set the key size to 4096 bits.īe sure to set the expiration date to something after the expiration date of the encryption subkey already stored on the Yubikey (if there is one) or Keybase will fail to use the new encryption subkey when users encrypt messages using the online encryption form. The -expert flag is required to enable subkeys with both encrypt and sign capabilities. ![]() So I created a new subkey with encrypt and sign capabilities using the master key on the Yubikey and left them on the computer instead of saving to the Yubikey: gpg -expert -edit-key FINGERPRINTOFYOURMASTERKEY Subkeys stored outside the hardware key can simplify the day-to-day encryption and signing operations and can be revoked independently from the master key. The private parts of PGP keys (including subkeys) stored on Yubikey can’t be exported so you must always use the actual Yubikey to encrypt, decrypt, sign and verify messages.
0 Comments
Leave a Reply. |