Table of Contents
One day I asked my friend, a cybersecurity expert, how to store my GPG private key securely. His answer did not impress me at all since he advised me to store the key on the USB thumb drive and I have to bring it everywhere I go. It’s not the best practice in my opinion since there’s a chance I will lose my thumb drive or, even worse, my thumb drive is broken. I searched on the internet and found that I can use the USB token to store the private key securely. But still, there’s a price I have to pay so I have to find another way. Until I know PaperKey, an OpenPGP key archiver, which will save my private key on the paper. The following are what I do to secure my private key.
1. Generating GPG key
Suppose we don’t have any GPG key yet, or we need to have the new one, we can generate the key pairs using the following command:
1.1. Determining the key type
If we are asked to choose the key type, choose option 1, RSA and RSA (default).
1.2. Entering the key size
Enter the number between 1024 to 4096. Just press ENTER to make 2048 bits key which is the best choice.
1.3. Specifying the key life time
We can specify how long the key will valid. However, it’s common to make an infinity validity lifetime. For this purpose, just press ENTER to make our key life infinity. Then press Y to confirm.
1.4. Providing the key identity
Fill the Real name, Email address, and Comment to give the key identity. Then press O to confirm.
1.5. Entering a passphrase
To make our key more secure, give passphrase to the key. It can be anything, however, a short sentence or phrase that isn’t easy to guess is better. Repeat entering the passphrase to confirm.
Note: The passphrase can’t be retrieved so we need to not forget the passphrase.
1.6. Generating the key
A lot of random bytes will be generated. If the generator doesn’t have enough random bytes available, we can move the mouse around, browse the internet, tap on the keyboard or do anything we normally do to generate random bytes. We will get the following information once the key is generated successfully.
gpg: key 2E4A9C6A marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/2E4A9C6A 2017-12-29 Key fingerprint = 3A5C 4E14 372A 660B C4C6 D19A 2BD3 8298 2E4A 9C6A uid Wisnu Anggoro (Key for wisnu.id) <email@example.com> sub 2048R/57AC4E4D 2017-12-29
Based on the preceding information, the key-id is 2E4A9C6A. Run the following command to list the key in the keyring:
You will get the list similar like the following:
/home/[yourname]/.gnupg/pubring.gpg ------------------------------ pub 2048R/2E4A9C6A 2017-12-29 uid Wisnu Anggoro (Key for wisnu.id) <firstname.lastname@example.org> sub 2048R/57AC4E4D 2017-12-29
1.7. Exporting the key pairs
In order to store the key securely using PaperKey, we need to export the private and public key. To export the public key, we can use the following command:
gpg --output wisnu_id_pub.gpg --export 2E4A9C6A
To export the private key, we can use the following command:
gpg --output wisnu_id_sec.gpg --export-secret-key 2E4A9C6A
Now, we have wisnu_id_pub.gpg and wisnu_id_sec.gpg files in the /home/[yourname]/.gnupg/ directories.
Note: 2E4A9C6A is the key-id we get from the previous step.
1.8. Uploading the public key to Ubuntu server
We need to upload the public key to the server so we can retrieve it to reconstruct the private in the upcoming step.
gpg --send-keys --keyserver keyserver.ubuntu.com 2E4A9C6A
2. Installing PaperKey
Installing PaperKey package on Ubuntu is simple. We just need execute these two following commands:
sudo apt-get update sudo apt-get install paperkey
To ensure the package has been installed successfully, run the following command to fetch the version of the installed package.
3. Extracting the secret data in the private key
Since we now have gpg private key, we can extract the secret from it and write to the text file. Go to the /home/[yourname]/.gnupg/ directories then extract the secret data from the private key using the following command:
paperkey --secret-key wisnu_id_sec.gpg --output secret-data-only.txt
We will see the secret-data-only.txt will look like following (I only show the first five lines):
... 1: 00 04 3A 5C 4E 14 37 2A 66 0B C4 C6 D1 9A 2B D3 82 98 2E 4A 9C 6A 6D5AD6 2: 02 B9 FE 07 03 02 BC 29 B9 6E 94 77 56 81 60 E5 1C 60 63 8D 0D B8 118201 3: 68 59 15 AC 93 9F 29 52 E6 8B D5 8B 04 55 62 81 F6 C4 72 5B C9 BC 11064C 4: 3D DC B8 41 D2 D6 04 C6 85 81 20 56 10 C0 1D 94 20 97 DA 5D 68 F9 D09E67 5: C9 7B 0B 0A 80 CB A0 A8 25 11 F6 6C D8 EF 86 FD 74 61 F0 4B B2 38 B3B783 . . .
We have successfully extracted the secret data in private key. We now can print the secret-data-only.txt and save it in the secure place.
4. Reconstructing the private key using secret data and public key
If we lost the private key, and even the public key, we can reconstruct the private key using the following steps:
4.1. Downloading the public key from the ubuntu server
In the we browser, go to http://keyserver.ubuntu.com:11371 and fill in the Search String text box with the name you’ve given to the key, then press the Search! button. You will then find your key in the public key list based on the key-id. Click the key-id and you should see your ASCII public key. Mine is like following
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: SKS 1.1.6 Comment: Hostname: keyserver.ubuntu.com mQENBFpF+ZcBCAD2e3euAoODz1KVq9BmHQabObhocFGlep8ylwhDExXEKHEHvlx6zgSNnx6u dx6/417aJIWyu0d9f/yfApK1qy27WxGuvxn9JtE3bX6C7CK5LONL3kMYb1i+ie4lxXJsYSj3 J6/fJ6Ng+HzqlRHudqeWUvoIlAQh+OrQVXdcW96lWLV/JngvqP2DDGrhQxZDod7Ac7sde52o BlE/4BiCjhciP5Zmmpde+IvEcFrc5Ap1PvEMAospqHfXS2vnkIjT4IycoNQ74MhSicy/hKed vfXiTQzuyNXipR/JYxNpEjtCttJ5UJqgM0Ra96cHUtli7yHkPMcIXseTNXuist18FW3LABEB AAG0L1dpc251IEFuZ2dvcm8gKEtleSBmb3Igd2lzbnUuaWQpIDxhc2tAd2lzbnUuaWQ+iQE4 BBMBAgAiBQJaRfmXAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAr04KYLkqcag40 B/0f9+w33xah+fiQRMuS+rdsvD/ok2j2MBVipnat99mUBhawWHkFTOtWanF4g2xbs42Hc3ej lqr8qtALj9qxpSMxE8utebqycXa8IkwVyxAZG4y80Ulfs+dgWjMoK8ubvX1bbGZFV/7COVln kiCr6frr8MZWMjQL9XispN/QVh7TWFFZ7ToI+5diL9ah2UYP9Dhi9KBDi4w+RjHopyFNcD75 qqLcGvqclf00bhBkGNApaUacnpX7sUjwDLbc0et63l1KVfOXC0S93JSe3c/NxkNdjI8iz3XJ kT4t2oUifz6er5tuUqPQmPpeKW9uwgUf0VISs2ex3JM67cMBCP5bo/peuQENBFpF+ZcBCADF 1y1WTcIO0OPb74zP0tI1A2O5EEb1ayG05h7SlsrW9fP23oHF0nI9aVeDVV9+OYzCKxEoNnUw UwUm4rf9mdBzHfY8n+bzCRpQrn+s+jHPidY14i+A0wcgIOl+uFzCbLxlIgW6iWYauaS7o4s4 Kb1gwOyrH4SW9MZtlpWMIOyf/6mWZkezUQndIBrQ58tpwpCMsodLjlkr5T1rA+G0jXVQ5fj2 /u+zlRH9EWAMsg/HPLAdUioffoPkxFxAN9OE81Q1i2bqy48YXJozprxYeL6zN64MlXDa59+a 3QDVGaeym9GV0bYH2mEH9medc7BlVkVLwbYSLWT3vY8483Oxb7pdABEBAAGJAR8EGAECAAkF AlpF+ZcCGwwACgkQK9OCmC5KnGq1HggA3O19AmTXb5KvyHqAOpnBwzgQ+WwtCODfvlbj5PhL iOxqFCq+PSnEX8uMV5LOdq3cDhqCafuUYeaKAwOPyh4ybw8c5CCcZ1eYaLyB7p7h9MD9BOMR 8MT61FQ5HzTvujJyPCtVjaQDg9mnB9ZtvcPD8xtAevBrgGfc+QRIfBC8SR1BRuTWpM7rKsq8 E8pxtogK8xr8KV1VpPDr82tA/y18fke2vv+QUtve6WiwCG+Piz0KiMBtsnmX3trvJB3shf+j BQ5rQFqHhsF0PaGxkwB+74+U6TrFK9N9Ar5zd9Qoc37oWvK0dugbwG86VW9V9EBXl/+vSCM5 UH3dSnwBhTD2Tw== =i88o -----END PGP PUBLIC KEY BLOCK-----
Copy those ASCII private key and save it to an *.asc file. Suppose we will save it into public-key.asc, open the nano editor using the following command:
sudo nano public-key.asc
In the nano editor, paste the ASCII public key copied from Ubuntu server, then press Ctrl+X to save and close.
4.2. Dearmor-ing the ASCII public key
In order to reconstruct the private key using PaperKey, we need to dearmor the ASCII the key. Just do the following command and the public-key.asc.gpg will be generated automatically:
gpg --dearmor public-key.asc
4.2. Converting the secret data in the paper to the txt file
We have a print out of the secret data only in the previous step. Use OCR to move it back to txt file. We will save it as secret-text.txt.
4.3. Reconstructing the private key
Now, we are ready to reconstruct the private key. Run the following command, and we are going to have our private key named secret-key.gpg.
paperkey --pubring public-key.asc.gpg --secrets secret-text.txt --output secret-key.gpg