diff options
Diffstat (limited to 'manual/basic/generate-key.md')
| -rw-r--r-- | manual/basic/generate-key.md | 203 |
1 files changed, 0 insertions, 203 deletions
diff --git a/manual/basic/generate-key.md b/manual/basic/generate-key.md deleted file mode 100644 index 29d52ca5..00000000 --- a/manual/basic/generate-key.md +++ /dev/null @@ -1,203 +0,0 @@ -# Generate Key Pair & Subkey - -Sure, let's go through the process of generating a key pair and subkeys. - -To generate a key pair using GpgFrontend, follow these steps: - -1. Open GpgFrontend and click on the "Generate Key" button. -2. Fill in the required information, such as your name and email address. -3. Choose the type of key you want to generate (RSA, DSA or ECC). -4. Set the key size and expiration date, if desired. -5. Create a passphrase to protect your private key. -6. Click "Generate" to create your key pair. - -Once your key pair is generated, you can add subkeys to it by following these -steps: - -1. Select the key pair you want to add a subkey to. -2. Click on the "Add Subkey" button. -3. Choose the type of subkey you want to add (encryption, signing, - authentication, or all). -4. Set the subkey size and expiration date, if desired. -5. Create a passphrase to protect your subkey. -6. Click "Add" to create your subkey. - -You can add multiple subkeys to a key pair, each with their own specific -purposes. This allows you to have more control over your key pair's security and -usage. - -## Generate Key Pair - -You can quickly understand the process of generating a key pair by watching the -following animation. - - - -### Name & Email & Comment - -The three fields, including name, email, and comment, are used to help users -differentiate this key pair from other key pairs they may have. Among these -three options, name and email are mandatory, while comment is optional. - -It is important to note that the name should be at least 5 characters long, and -the email should follow the correct format (no actual email account is -required). - - - -### Expiration Date - -Setting an expiration date for the key pair is a way to limit the validity of -the key over time. Once the expiration date is reached, the key can still be -used, but its operations, especially signature operations, will be considered -invalid. By default, GpgFrontend suggests setting the expiration date to two -years after generation, but you can also choose to check the "Never expire" -checkbox to make the key pair permanent. - -It's important to note that this option can be changed at any time after -generation, even after the expiration date has passed, as long as the primary -key still exists. - - - -### Key Size & Algo - -Setting an expiration date for the key pair is a way to limit the validity of -the key over time. Once the expiration date is reached, the key can still be -used, but its operations, especially signature operations, will be considered -invalid. By default, GpgFrontend suggests setting the expiration date to two -years after generation, but you can also choose to check the "Never expire" -checkbox to make the key pair permanent. - -It's important to note that this option can be changed at any time after -generation, even after the expiration date has passed, as long as the primary -key still exists. - - - -### Passphrase - -Setting a password to protect the primary key is crucial in case of a security -breach. If the "Do not set password" checkbox is unchecked, you will be prompted -to enter a password during the key pair generation process. Follow the prompts -to set the password. Once the password is set, whenever you need to use the -primary key for an operation, you will need to enter the password to unlock it -(some systems have a password manager to automate this process). - -However, you can also check the "Do not set password" checkbox to skip setting a -protection password for the primary key. But this is not recommended due to -security concerns. - -### Usage - -When generating a key pair, you can specify the usage for the first subkey, -which is the primary key. There are four options: - - - -- Encryption: Once generated, this key can be used for encryption purposes. - -- Signing: Once generated, this key can be used for signature purposes. - -- Certification: This key can be used to certify or verify other keys. Only the - primary key can have this usage. - -- Authentication: This key can be used for authentication purposes, such as with - SSH keys. - -The third of these four uses (authentication purposes) can only be owned by the -primary key. In addition, some usages are not available when using certain -algorithms for encryption. For example, when the DSA algorithm is selected, the -encryption uses are disabled. - -## Generate Subkey - -It is possible to append subkeys to an existing key pair. The subkey does not -require the input of a name, email, or comment, as the remaining steps are -essentially identical to those for generating a key pair. - - - -### Extra note - -Below are some guidelines that may prove useful in comprehending the -aforementioned concepts and utilizing this tool accurately. - -#### Understanding Primary Keys and Subkeys - -In the realm of cryptography, key management plays a crucial role in ensuring -data security. A key pair consists of a primary key and one or more subkeys, -each serving distinct functions yet working together to secure and manage -digital identities and communications. This structure not only enhances security -but also provides flexibility in key usage and management. - -#### The Role of Primary Key and Subkeys - -- **Primary Key**: The primary key is the cornerstone of your cryptographic - identity. It is used for identity verification, which includes signing other - keys to establish trust. The primary key's signature on a subkey validates the - subkey's association with the identity of the primary key holder. - -- **Subkeys**: Subkeys are associated with the primary key and are used for - encryption and signing documents or messages. Subkeys can be thought of as - extensions of the primary key, each designated for specific tasks. This - separation of duties allows for greater security and operational flexibility. - For example, you can have separate subkeys for signing and encryption. - -#### Advantages of Using Subkeys - -1. **Enhanced Security**: By using subkeys for day-to-day operations, you - minimize the risk associated with key exposure. If a subkey is compromised, - it can be revoked without affecting the primary key or other subkeys, thereby - limiting the potential damage. - -2. **Operational Flexibility**: Subkeys allow for specific roles (e.g., signing, - encryption) to be isolated. This means you can renew or revoke subkeys as - needed without disrupting the overall cryptographic setup. - -3. **Convenient Key Rotation**: Regularly updating keys is a best practice in - cryptography. Subkeys make it easier to rotate keys for signing and - encryption without needing to re-establish the primary key's trust - relationships. - -#### Managing Primary Keys and Subkeys - -- **Secure Storage**: The primary key should be stored in a highly secure - location, preferably offline or in a hardware security module (HSM), to - prevent unauthorized access. This is because the loss or compromise of the - primary key jeopardizes the entire cryptographic framework. - -- **Key Generation and Maintenance**: While tools like GpgFrontend provide - user-friendly interfaces for managing keys, they may lack support for advanced - operations like generating multiple subkeys. Therefore, using the command-line - `gpg` tool for such tasks is advisable. Despite this limitation, GpgFrontend - can play a critical role in monitoring the presence of the primary key, which - is essential for certain operations like adding subkeys or signing other keys. - -- **Revocation and Renewal**: Prepare revocation certificates for your primary - key and subkeys in advance. In case of key compromise or expiration, these - certificates allow you to invalidate the keys, informing others in your trust - network not to use them anymore. - -#### Practical Tips for Effective Key Management - -- **Purpose-Specific Subkeys**: If your primary key was not generated with - certain capabilities (e.g., encryption), you can create a subkey with the - required functionality. This allows the key pair to be used for the intended - cryptographic operations without regenerating the primary key. - -- **Multiple Subkeys for Different Devices**: For users operating across - multiple devices, generating separate subkeys for each device can enhance - security. If one device is compromised, only the subkey on that device needs - to be revoked, leaving the others unaffected. - -- **Backup and Recovery**: Regularly back up your key pair, including the - primary key and all subkeys. Secure backups ensure that you can recover your - cryptographic capabilities even in the event of hardware failure or data loss. - -In summary, understanding and implementing a robust key management strategy, -with a clear distinction between primary keys and subkeys, is essential for -maintaining the integrity and security of cryptographic operations. By adhering -to best practices for key usage, storage, and renewal, users can safeguard their -digital identities and ensure the confidentiality and authenticity of their -communications. |