My GPG Key

• I have only used free software whenever possible and kept them updated
• I have used Tails livecd on Libreboot airgaped computer
• I have created a encrypted FS and mount it on ~/.gnupg
• All export and backups have been done on an encrypted usb key
• So my keys have never been saved on an unencrypted FS, even if I am using a livecd :-)
• For daily tasks, I only use subkeys on a smartcard.
• The master secret key is always offline.
• My master secret key will never be used on computer other than my airgaped computer

$ sudo rm /dev/random
$ cd /dev
$ sudo ln /dev/urandom random
$ ls -lrt /dev/random /dev/urandom
$ sudo rngd -f -r /dev/hwrng -o /urandom

$ cd /tmp
$ sudo dd if=/dev/urandom of=gpgkeys bs=1M count=10
$ sudo cryptsetup -v –verify-passphrase –key-size=512 –hash=sha512 –iter-time=120000 –use-urandom luksFormat gpgkeys
$ sudo cryptsetup luksOpen /tmp/gpgkeys gpgkeys
$ sudo mkfs.ext4 dev/mapper/gpgkeys
$ rm -rf ~.gnupg
$ mkdir ~/.gnupg
$ sudo mount dev/mapper/gpgkeys ~.gnupg
$ sudo chown username: ~/.gnupg
$ sudo chmod 700 ~/.gnupg

no-emit-version
no-comments
keyid-format 0xlong
with-fingerprint
list-options show-uid-validity
verify-options show-uid-validity
use-agent
keyserver-options no-honor-keyserver-url
keyserver-options include-revoked
personal-cipher-preferences AES256 AES192 AES CAST5
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

$ gpg2 –expert –full-generate
gpg (GnuPG) 2.2.1; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(13) Existing key
Your selection? 8

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 5y
Key expires at Tue 22 Nov 2022 08:53:07 AM CET
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Steve Tuyizere
Email address: myemail@email.com
Comment:
You selected this USER-ID:
"Steve Tuyizere <myemail@email.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 0x0AA23A20B2B67F4C marked as ultimately trusted
gpg: directory 'home/stuyizere.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as 'home/stuyizere.gnupg/openpgp-revocs.d/179585C04F6413596F54A3270AA23A20B2B67F4C.rev'
public and secret key created and signed.

pub rsa4096/0x0AA23A20B2B67F4C 2017-11-23 [C] [expires: 2022-11-22]
Key fingerprint = 1795 85C0 4F64 1359 6F54 A327 0AA2 3A20 B2B6 7F4C
uid Steve Tuyizere <myemail@email.com>