PGP Subkeys for Keybase

The private parts of PGP keys (including subkeys) stored on Yubikey can’t be exported so you must always use the actual Yubikey to encrypt, decrypt, sign and verify messages. Subkeys stored outside the hardware key can simplify the day-to-day encryption and signing operations and can be revoked independently from the master key.

So I created a new subkey with encrypt and sign capabilities using the master key on the Yubikey and left them on the computer instead of saving to the Yubikey:

gpg --expert --edit-key FINGERPRINTOFYOURMASTERKEY

The --expert flag is required to enable subkeys with both encrypt and sign capabilities. Use gpg --edit-card to view the fingerprint of your master key with Yubikey plugged in.

Now create a new subkey:

addkey

Choose (8) RSA (set your own capabilities) and choose (S) Toggle the sign capability and (E) Toggle the encrypt capability, and set the key size to 4096 bits.

Be sure to set the expiration date to something after the expiration date of the encryption subkey already stored on the Yubikey (if there is one) or Keybase will fail to use the new encryption subkey when users encrypt messages using the online encryption form. Most PGP software will pick the subkey by its creation time and then by the expiration time.

Save the changes to your combined public key after creating the subkey by entering save.

Now send the updated public key to your preferred PGP key server:

$ gpg --send-keys FINGERPRINTOFYOURMASTERKEY

and to Keybase using their command-line tool:

$ keybase pgp update

It is impossible to upload the updated public key using their web UI unless you have another private key associated with the account. All of my private keys before creating this new subkey were stored on Yubikey so I had to use their CLI tool.

You can now export the private part of your new subkey. Find the fingerprint of the new subkey:

$ gpg --list-secret-keys --with-subkey-fingerprints
---------------------------------
sec>  rsa4096 2015-01-01 [SC] [expires: 2021-01-01]
      A134BA0260D43F8EACC889D994F13532A319EA5D
      Card serial no. = 0001 011111111
uid           [ultimate] Kaspars Dambis <hi@kaspars.net>
uid           [ultimate] [jpeg image of size 1790]
ssb>  rsa4096 2015-01-01 [E] [expires: 2021-01-01]
      D2A5D7D1B4D5A75BB161AC94FD4869EA5538D9E8
      Card serial no. = 0001 011111111
ssb>  rsa4096 2015-01-01 [A] [expires: 2021-01-01]
      0A153C055A881B4524C04B3F03142B71D9CDD878
      Card serial no. = 0001 011111111
ssb   rsa4096 2019-01-01 [SE] [expires: 2021-01-01]
      A58B88D1220599B82097CBA30C8C9DD50841A889

The master key is listed at the top with all the subkeys below it. Note that all subkeys stored on Yubikey have the > character after their ssb (secret subkey) identifier and the new one doesn’t have that. The fingerprint of the new subkey is A58B88D1220599B82097CBA30C8C9DD50841A889 so I use the following command to export the private key of the new subkey:

gpg --armor --export-secret-subkeys FINGERPRINTOFSUBKEY!

Note the exclamation mark ! at the end of the fingerprint — it is required to export the private key of just the particular subkey.

Pipe the output to pbcopy on macOS to copy it to the clipboard:

gpg --armor --export-secret-subkeys FINGERPRINTOFSUBKEY! | pbcopy

Go to your Keybase profile, click on edit next to your public key fingerprint and choose “Host an encrypted copy of my private key”, paste in the key and enter your Keybase password to encrypt the key for storage.

Now you’re able to encrypt and decrypt messages using the Keybase web UI or the command-line tool without having to use Yubikey.

Leave a Reply