Key functions:
*Certification - Private key is used to sign other keys to establish a trust relation, public key is for verifying key signatures.
*Signing - Private key is used to sign data, public key is used to verify signature.
*Encryption - Public key is to encrypt data, private key is to decrypt.
*Authentication - Used to log into SSH with a PGP key.
Keypairs can be further divided into sub-keys. Sub-keys are attached to the master key and can be created and revoked at any time by the certifying key. Generate a 4096K master keypair for certification only and two 4096K sub-keys for encryption and signing. Doing this, you can isolate your master key from any network component (airgap) and use the sub-keys to sign and decrypt. If your master key is compromised, then you're fucked and need to start from scratch, which is why it must be isolated. If your sub-keys are compromised, then you can revoke them with the master key and create new ones.
The step by step:
$ gpg --expert --gen-key
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? e
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
the next question 4096 then proceed with filling out the questions answers are up to you.
if you see "Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 153 more bytes)" means type more <>jfu7&() kinda stuff
Then:
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 16384R/???????? //The ?'s are your key ID
gpg --expert --edit-key ????????? //you key ID
pub 4096R/???????? created: 2014-05-28 expires: never usage: C
trust: ultimate validity: ultimate
[ultimate] (1). Cryptic_Logic (Fucko the Clown!) clogic@nowhere.net
gpg> addkey
Please select what kind of key you want:
(8) RSA (set your own capabilities)
(E) Toggle the encrypt capability
(Q) Finished
yes/yes.
gpg>addkey
Your selection? 8
Your selection? s
Your selection? q
pgp>save
Also, editing keygen.c "unsigned nbits, min, def=2048, max=4096" and setting the "max=" to 16384 (4096x4) is a bad idea.
Deleting the:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)