--- title: PGP Subkeys for Keybase date: 2019-07-05T11:37:31+00:00 modified: 2019-07-05T12:02:42+00:00 image:: https://kaspars.net/wp-content/uploads/2019/07/keybase-nav-v2.png permalink: https://kaspars.net/blog/pgp-subkeys-keybase post_type: post author: name: Kaspars avatar: https://reverse.kaspars.net/gravatar/avatar/92bfcd3a8c3a21a033a6484d32c25a40b113ec6891f674336081513d5c98ef76?s=96&d=mm&r=g category: - Cryptography --- # PGP Subkeys for Keybase The private parts of PGP keys (including subkeys) stored on Yubikey can’t be exported so you must always use the actual Yubikey to encrypt, decrypt, sign and verify messages. [Subkeys](https://wiki.debian.org/Subkeys) stored outside the hardware key can simplify the day-to-day encryption and signing operations and can be revoked independently from the master key. So I created a new subkey with encrypt and sign capabilities using the master key on the Yubikey and left them on the computer instead of saving to the Yubikey: ``` gpg --expert --edit-key FINGERPRINTOFYOURMASTERKEY ``` The `--expert` flag is required to enable subkeys with both encrypt and sign capabilities. Use `gpg --edit-card` to view the fingerprint of your master key with Yubikey plugged in. Now create a new subkey: ``` addkey ``` Choose `(8) RSA (set your own capabilities)` and choose `(S) Toggle the sign capability` and `(E) Toggle the encrypt capability`, and set the key size to 4096 bits. Be sure to set the expiration date to something after the expiration date of the encryption subkey already stored on the Yubikey (if there is one) [or Keybase will fail to use the new encryption subkey](https://github.com/keybase/keybase-issues/issues/1853) when users encrypt messages using the [online encryption form](https://keybase.io/encrypt#kaspars). Most PGP software will pick the subkey by its creation time and then by the expiration time. Save the changes to your combined public key after creating the subkey by entering `save`. Now send the updated public key to your preferred PGP key server: ``` $ gpg --send-keys FINGERPRINTOFYOURMASTERKEY ``` and to Keybase using [their command-line tool](https://keybase.io/docs/command_line): ``` $ keybase pgp update ``` It is impossible to upload the updated public key using their web UI unless you have another private key associated with the account. All of my private keys before creating this new subkey were stored on Yubikey so I had to use their CLI tool. You can now export the private part of your new subkey. Find the fingerprint of the new subkey: ``` $ gpg --list-secret-keys --with-subkey-fingerprints --------------------------------- sec> rsa4096 2015-01-01 [SC] [expires: 2021-01-01] A134BA0260D43F8EACC889D994F13532A319EA5D Card serial no. = 0001 011111111 uid [ultimate] Kaspars Dambis uid [ultimate] [jpeg image of size 1790] ssb> rsa4096 2015-01-01 [E] [expires: 2021-01-01] D2A5D7D1B4D5A75BB161AC94FD4869EA5538D9E8 Card serial no. = 0001 011111111 ssb> rsa4096 2015-01-01 [A] [expires: 2021-01-01] 0A153C055A881B4524C04B3F03142B71D9CDD878 Card serial no. = 0001 011111111 ssb rsa4096 2019-01-01 [SE] [expires: 2021-01-01] A58B88D1220599B82097CBA30C8C9DD50841A889 ``` The master key is listed at the top with all the subkeys below it. Note that all subkeys stored on Yubikey have the `>` character after their `ssb` (secret subkey) identifier and the new one doesn’t have that. The fingerprint of the new subkey is `A58B88D1220599B82097CBA30C8C9DD50841A889` so I use the following command to export the private key of the new subkey: ``` gpg --armor --export-secret-subkeys FINGERPRINTOFSUBKEY! ``` Note the exclamation mark `!` at the end of the fingerprint — it is required to export the private key of just the particular subkey. Pipe the output to `pbcopy` on macOS to copy it to the clipboard: ``` gpg --armor --export-secret-subkeys FINGERPRINTOFSUBKEY! | pbcopy ``` Go to your Keybase profile, click on `edit` next to your public key fingerprint and choose “Host an encrypted copy of my private key”, paste in the key and enter your Keybase password to encrypt the key for storage. Now you’re able to encrypt and decrypt messages using [the Keybase web UI](https://keybase.io/encrypt#kaspars) or the command-line tool without having to use Yubikey.