GPG onto Third Party App

Create A Secondary Key

To compensate this scenario, we'll need to create what we call "secondary key" (not to confused with sub-key). This key has both encryption [E] and sign [S] capable sub-keys but with missing certify capability [C].

Export the Master Secret Key

Before we design our key, export the master secret key into a temporary key file. Remember the key's passphrase for later restoration.

Create Necessary Subkey

Now, you can create new subkey like signature or encryption. The minimum is:

1. One signature subkey
2. One encryption subkey

Since creating a proper secondary key is quite troublesome, I would suggest you create these keys 1 set for 1 third-party application.

Delete Unneeded Sub-Key

You'll need to delete all other sub-keys until you're left with the 2 desired subkeys you created earlier.

Change Passphrase

Now that you can see the template of your secondary key, you can configure the passphrase to a new one, different from your master passphrase. This is for secondary key. However, do remember your master passphrase. We need it for restoration later.

Update Encryption Preferences

This is optional. If you want to update your encryption preference such as selecting the encryption algorithm, you can do it now.

Delete The Master Secret Key

Now delete the master secret key.

Export The Public and Secret Keys

By the time you reach here, your secondary key is ready. Export the public and secret key. I recommend you should export --armor version since that is commonly used.

Delete the Secret and Master Key

Now that we have our secondary key ready, we need to test it. You may delete the existing one.

Import the Secondary Secret Key

With the empty space, now try to import secondary secret key. You need to check a few things:

1. It should use the new passphrase instead of your main version.
2. There is a hash (#) symbol for your key with certify capability ([C] symbol).
   • Example: sec# rsa4096/445AC05FC0F56EA9 2018-09-23 [SC]
3. There should be 1 sub-key with signature capability [S] and 1 sub-key with encryption capability [E]

A full example:

sec#  rsa4096/445AC05FC0F56EA9 2018-09-23 [SC]

      1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9

uid                 [ultimate] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>

ssb   rsa4096/226B3ACC3859EF97 2018-09-23 [E]

ssb   rsa4096/DFF009F42B8F65F1 2018-09-23 [S]

Backup the Secondary Keys

Congratulations! You now have the secondary key. You may backup this secondary key in a separate keyfile for future restoration (just in case).

Delete the Secret and Master Key

Now we want to restore our main key back, delete the existing one.

Import Your Master Secret Key Back

Import your main secret key back from the temporary keyfile. You should be using the original passphrase.

Delete the Master Secret Temporary Keyfile

With everything in check, you can safely delete your master secret key file.

Use the Secondary Secret Key for The Specified 3rd Party Consumption

Now whenever you are requested to use a secret key, you may use this secondary secret key instead of the main key. This way, you protects your key's integrity from being sabotaged.

When to Refresh Secondary Key

When the secondary secret key got compromised, most of the time, via third party app security vulnerability, you need to revoke those subkeys and create a new set of secondary key for them. You can refer to the guide below for revocation while repeat this entire guide again to create a new secondary key.

That's all for deploying GnuPG into 3rd-party application.