GnuPG: Master Key on Airgapped Tails OS

How to use Tails OS to generate your GPG master key

Because only the paranoid survive.

So it’s time to rotate your GnuPG master key. Assuming you’re among the “reasonably paranoid” (you know, you being a little paranoid in the edges certainly doesn’t mean that they ain’t after you) you ought to think about how to safely generate your private OpenPGP/GnuPG master key. So here’s my notes on how I went about it:

Tools used

• Trusted computer, preferably running Libreboot
• Tails OS on a USB flash drive
• Additional USB flash drive, or better a SD card that can be write protected

You might know Tails OS already, but if you don’t I’d recommend you have a look at it. Tails OS is a Debian based distro that focuses on privacy:

Tails is a portable operating system that protects against surveillance and censorship.

Basically, it’s a GNU/Linux USB flash drive that you can easily boot into from most machines and which then routes all your traffic through the Tor network.

Tails OS runs completely from your computers RAM memory, and leaves no trace of its usage after you halt your machine. It’s a cool tool to carry on your key chain.

However in “some countries” that are blocking connections to the Tor network Tails OS might not really be that useful out of the box, you’d need to set it up so that you use some of the more obscure Tor bridges which requires some more tinkering. You’ll find that in some places it can be really hard to get access to any kind of bridges, and you might want to fall back to e.g a socks proxy à la Shadowsocks to connect to the outside world.

Also, simply trying to initiate a Tor connection might in itself be enough to get you into real trouble in some places… Anyway, we’re here to generate a key on an airgapped box, and as I currently find myself in a rather “free country” I say let’s keep this topic for another day.

You can configure Tails OS to save your files and configurations on an encrypted persistent partition on your USB flash drive, so you can carry some of your documents or important emails, install additional software etc. It comes with a decent collection of usable tools.

Tonight we’re gonna use Tails OS to generate a GPG master key.

Airgapped Tails OS

First you’ll need to download and install Tails OS on your USB flash drive. Once you’ve loaded your USB drive with a bootable Tails OS, select your trusted computer. Do you really trust your computers BIOS or UEFI? If you don’t - and you probably shouldn’t - then I’d advise to choose a computer that runs Libreboot or at least a Coreboot replacement for your BIOS / UEFI and neutralizes that Intel Management Engine spyware firmware.

Power off the computer, and remove or disable any attached network interfaces. Depending on your level of paranoia, it might be OK to simply boot into Tails OS, as Tails won’t start any network connections. Or you could go all in and physically remove any network cards from your machine and bunker down in your underground Faraday cage.

Boot up Tails OS, and create a persistent volume on your USB flash drive. This will be an encrypted partition where you can store your master key.

To create a persistent encrypted volume on your USB drive, go for Applications ▸ Tails ▸ Configure persistent volume. Make sure you select GnuPG from the list presented so that you’re GPG keys get stored on the encrypted partition.

Reboot your Tails OS, enter your passphrase for the encrypted persistent volume and make sure it’s all good before you proceed with creating the key.

Generate Your GPG Master Key

Now we’ll generate the actual GnuPG master key. Fire up a terminal and run:

$ gpg --full-gen-key

Here you’d select option 4 to generate a single sign-only RSA key:

Your selection? 4

Next you’ll have to choose your key size. Most would probably opt for 4096 (or you could choose a more obscure value, or if you’d e.g be signing SSL root certificates or the like you might want to choose a 2048-RSA key).

So let’s go for 4096:

What keysize do you want? (2048) 4096

Then comes the question - how long shall your key remain valid? Choose a reasonable time frame for your purposes, let’s say 1 or 2 years:

Key is valid for? (0) 1y
Key expires at a date and time 1 year in the future.
Is this correct? (y/N) y

During the next step you’ll setup your user ID (UID) which means your name and the email address you’re gonna use this key for. Keep away from the “Comments”, it’d mostly make your life more complicated later on, so just leave that part blank:

Real name: Daniel Tenningås
Email address: daniel@tenningas.com
Comment: 

Review your info, and confirm:

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You’ll be asked for a passphrase - and make sure you choose a good one!

Voilà, you’ve just generated your GPG master key on an airgapped system.

Add another UID for secondary email

Now, there’s plenty of interesting things you can do with gpg, such as adding an extra UID for your secondary email address:

gpg --expert --edit-key 0xKEYID

This gives you the “gpg prompt”, and you’d do something like this:

gpg> adduid

And then add another UID just as you added your first one.

Adding GPG subkeys for encrypting & signing

So now we’ve got a master key, but we’ll leave this in a secure and airgapped location and instead generate two subkeys for encrypting and signing.

We’ll use the addkey command at our gpg prompt:

gpg> addkey

Selecting 4 for the signing key and 6 for the encryption key, after which we’ll save the changes we’ve made to our key:

gpg> save

Revocation Certificate

Now this part is kinda important. You’ll need a revocation certificate, so in case your key gets compromised you’ll be able to make it unusable. Or else, well, you might end up with another person taking over your identity… and bad stuff might happen.

gpg --gen-revoke 0xKEYID > /media/pathtoyourusb/revoke.gpg

Save this revocation certificate in a safe and/or airgapped location. If your subkeys somehow get stolen, you loose your laptop etc. you’d use this to revoke your subkeys before you generate new ones.

Export your public keys to your USB

Mount the USB drive or SD card that you want to use to transfer your subkeys to the machine you’re gonna use on a daily basis. Hmmm… how to trust that USB flash drive or your SD card… well, let’s simply assume that you do:

gpg --export 0xKEYID > /media/pathtoyourusb/public.gpg

Export your private subkeys to your USB

This will export your subkeys only, and you’ll use these for signing and encrypting on your various devices while leaving the master key in a safe place:

gpg --export-secret-subkeys 0xKEYID > /media/pathtoyourusb/secret.gpg

Use the subkeys on your daily driver

So assuming that your daily drives is not a librebooted, airgapped Tails OS boxen you’d want to import the keys to the machine you want to use:

gpg --import < /media/pathtoyourusb/public.gpg
gpg --import < /media/pathtoyourusb/secret.gpg

Remember that your master key is now located only on your Tails OS drive.

You’d want to keep this in a secure location, preferably offline. Wrap up your USB, dig a hole in a remote location and drop it there, print it out on a piece of paper (with a few “mistakes” that you’d need to remember) etc. etc.

The truly paranoid will come up with endless options, only to discover that they all have their flaws, so don’t go to deep down that rabbit hole… 😅

Set the trust level of your subkeys

As a last step, you’ll need to set the trust level of your subkeys. For this you’d use gpg> trust and set the trust level to ultimate.

You’re ready to roll:

Now you can start to use your GPG subkeys to sign or encrypt files, documents, emails etc.

Oh, and while we’re at it, you might want to check out the book Only the Paranoid Survive by former Intel CEO Andrew Grove. While not actually related to encryption and computer security, this book is more about business survival in a fast moving, dynamic technology landscape, and makes for an interesting read on a rainy Saturday night.

:wq