Use a GnuPG Primary key from a USB drive

Following this previous post we moved our primary key off the harddrive onto an encrypted USB flash drive for safe keeping. Occasionally we need to use our primary key, for instance to sign other people's public key. So how do we bring our primary key back "online"?

The method described in this post connects the encrypted USB drive containing the primary key with our day-to-day machine. This is a compromise of security for convenience because we expose the primary key to whatever malware may have accumulated on the day-to-day machine. The alternative of booting a Live CD is more secure but very cumbersome.

Signing a key

To demonstrate the use of the primary key stored on the USB drive, we are going to download and sign a public key belonging to Søren Poulsen.

First set a keyserver in the ~/.gnupg/gpg.conf file.

bob@home:~$ vi ~/.gnupg/gpg.conf

Add this line to the file (check there isn't one already) and save the file:

keyserver hkp://keyserver.ubuntu.com

Now let's find the key we want to sign. Open http://keyserver.ubuntu.com in a browser and search for a person named sorentpoulsen (or any other person who's key you want to sign).

The search result shows that the fingerprint of soretpoulsen's public key is BD8F 2EB3 90B0 DACA 99EF 947F 9C35 573B 675E 7FA7. The last eight digits can be used as a key ID when downloading the key to our keyring:

bob@home:~$ gpg --recv-keys 675E7FA7

Insert the encrypted USB key with the GnuPG backup. I'm going to assume the backup folder is now available under /media/myusb/gnupg.

Sign the public key of Søren Poulsen, with --homedir pointing to the USB drive containing the primary private key and --keyfile pointing to the keyring on the harddrive containing the public key of Søren Poulsen:

bob@home:~$ gpg --homedir /media/myusb/gnupg/ --keyring ~/.gnupg/pubring.gpg --sign-key 675E7FA7

Update Søren Poulsen's key on the key server. Skip this last step when you are just testing.

bob@home:~$ gpg --send-keys 675E7FA7