In situation for using 3rd-party application, such as FlowCrypt for sending encrypted contents over Google Gmail, you will definitely need to export an encryption and signature capable secret key for them to perform decryption work. However,
Hold your horses! There are a series of steps to do before proceed to expose your secret key, especially your master key!
Your highest priority is NEVER REVEAL YOUR PRIMARY KEY'S MASTER KEY REGARDLESS ANY CIRCUMSTANCES!. Hence, this section shows you how to create one without the master key for 3rd-party application's consumptions.
To compensate this scenario, we'll need to create what we call "secondary key" (not to confused with sub-key). This key has both encryption [E]
and sign [S]
capable sub-keys but with missing certify capability [C]
.
Before we design our key, export the master secret key into a temporary key file. Remember the key's passphrase for later restoration.
Now, you can create new subkey like signature or encryption. The minimum is:
Since creating a proper secondary key is quite troublesome, I would suggest you create these keys 1 set for 1 third-party application.
You'll need to delete all other sub-keys until you're left with the 2 desired subkeys you created earlier.
Now that you can see the template of your secondary key, you can configure the passphrase to a new one, different from your master passphrase. This is for secondary key. However, do remember your master passphrase. We need it for restoration later.
This is optional. If you want to update your encryption preference such as selecting the encryption algorithm, you can do it now.
Now delete the master secret key.
By the time you reach here, your secondary key is ready. Export the public and secret key. I recommend you should export --armor
version since that is commonly used.
Now that we have our secondary key ready, we need to test it. You may delete the existing one.
With the empty space, now try to import secondary secret key. You need to check a few things:
#
) symbol for your key with certify capability ([C]
symbol).sec# rsa4096/445AC05FC0F56EA9 2018-09-23 [SC]
[S]
and 1 sub-key with encryption capability [E]
A full example:
sec# rsa4096/445AC05FC0F56EA9 2018-09-23 [SC]
1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
uid [ultimate] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>
ssb rsa4096/226B3ACC3859EF97 2018-09-23 [E]
ssb rsa4096/DFF009F42B8F65F1 2018-09-23 [S]
Congratulations! You now have the secondary key. You may backup this secondary key in a separate keyfile for future restoration (just in case).
Now we want to restore our main key back, delete the existing one.
Import your main secret key back from the temporary keyfile. You should be using the original passphrase.
With everything in check, you can safely delete your master secret key file.
Now whenever you are requested to use a secret key, you may use this secondary secret key instead of the main key. This way, you protects your key's integrity from being sabotaged.
When the secondary secret key got compromised, most of the time, via third party app security vulnerability, you need to revoke those subkeys and create a new set of secondary key for them. You can refer to the guide below for revocation while repeat this entire guide again to create a new secondary key.
That's all for deploying GnuPG into 3rd-party application.