Project:Gentoo-keys/Generating GLEP 63 based OpenPGP keys

General info
In this guide we are going to show you how to create a GLEP 63 based OpenPGP Key following best practice.

OpenPGP
OpenPGP is one of the most widely used cryptographic standards in the world. The OpenPGP standard was originally derived from PGP (Pretty Good Privacy), first created by Phil Zimmermann in 1991, and is now maintained by the OpenPGP Working Group of the Internet Engineering Task Force. One of the most used open source implementations of the OpenPGP standard is the GNU Privacy Guard (GnuPG).

The OpenPGP standard is a hybrid scheme utilizing both asymmetrical and symmetrical cryptography to establish the cryptosystem. The asymmetrical components are used to establish a nPKI (Public Key Infrastructure) ad when mentioning keys in this document, it is a reference to the asymmetrical components. It is a hybrid system when used for data encryption, as the data itself is encrypted symmetrically using a random session key, which is afterwards encrypted individually using the asymmetrical encryption keys of each recipient.

OpenPGP keys (i.e. asymmetrical) normally consists of a primary key used for Certification and Signing and a subkey capable of Encryption. This is often extended to using a primary key for Certification purposes only, and separate subkeys for Signing and Encryption. Such a scheme allows for the primary key to be stored offline, while the subkeys are used for day-to-day use.

When generating a new User ID, a new subkey, creating a certification (signature) of another key, or performing revocation procedures, the primary key will have to be used, and as such these operations are normally conducted on a more secure system. As certifications by other users are tied to the primary key, as components structured below the User ID and User Attribute, this allows for key-rotation without losing existing certificates of the key, e.g. in the event of a key compromise due to loss of a device.

GLEP 63
GLEP 63 is a proposal accepted by the Gentoo Council which provides both a minimum requirement and a recommended set of OpenPGP key management policies for the use of GnuPG  by Gentoo Linux developers. It is intended to provide a basis for future improvements such as consistent ebuild or package signing and the possibility of verification of integrity by end users.

How to generate the perfect GLEP 63-compliant OpenPGP key
In the next few steps we will show you how to generate the perfect GLEP 63-compliant OpenPGP key. We used the term perfect key because this key should last for next 10 years and be flexible enough to support as many setups as possible (e.g. various hardware token). In the end this key should allow you to become part of the Web of Trust while helping to keep Gentoo secure.

Step 1: Backup your existing GnuPG setup
Before we start it is recommended that you backup your existing GnuPG configuration, including your private keyring, just in case something goes wrong and you want to revert.

First, it is important to know where you store your current GnuPG configuration and keyrings. Run the following command to get GnuPG's homedir:

Now that you know your GnuPG's current homedir ( in this example), you can create a backup of your current GnuPG configuration, including your keyrings:

(we use umask to restrict access to the backup file; It is safe to ignore the warnings regarding ignored sockets above)

Step 2: Install the tools you will need
We don't need any special tools or script. The normal GnuPG 2.x CLI client will be enough. It should be already installed on your system, if not, just run

Step 3: Update your gpg.conf
This step is optional but recommended: Make sure your gpg.conf (usually located in ) contains the following settings:

Step 4: Create your new master key
With the configuration from above in place, your new master key can be created. The master key will only have the capability "Certify" and is only needed when the key is modified or when you sign someone else's key. Separating capabilities will allow you to split master key from subkeys so that you can keep master key in a secure, air-gaped, environment for example.

Step 5: Create subkeys
To be able to sign commits or push signed to any Gentoo repository, we will need a subkey with "Sign" capability. Therefore we will create a RSA key with keysize of 2048 bits and a validity of 1 year (note that we will use the previous shown fingerprint when we specify which key we want to edit):

Now it is also recommended that you will create a subkey you can use for encryption. This will allow you to encrypt files against your OpenPGP key and allow others to send you encrypted messages for example:

Step 6: Add a subkey for authentication
This step is optional. If you want to use your OpenPGP key for SSH authentication as well, it is recommended to add a dedicated subkey just for authentication:

Summary
The creation of your new, perfect GLEP 63-compliant OpenPGP key is now completed. Let's view your new key:

Submit your new key to the keyserver
Once you're satisfied with the newly generated key is configured as you want it, the key should be published to an operational keyserver pool using:

Updating LDAP
It is important that you update the LDAP entry on woodpecker, so that your new key will be recognized and is allowed to push to Gentoo repositories. See this FAQ entry for more details.

Split key
Add information how to split key so that you can keep master key on an air-gaped system for example and/or use keycard, YubiKey...