Through this process, I have found GPG to be fairly straight forward, but it may be a bit daunting for some without prior crypto experience. In this short series, I am going to cover basic setup of GPG for encryption and signing. This keypair will consist of subkeys with an offline private master. Once we have a working and secure GPG setup, I will move on to cover password management with pass, as well as GPG based authentication, and ultimately using hardware GPG tokens.
Hopefully this series will be useful to some. As always, I welcome comments, questions, and corrections.
Part I - Key Generation
Note: The example text was sourced from several different key operations on several different keys. The key IDs and fingerprints in the example text may or may not correspond to valid and active keys. My key can be retrieved from sks-keyservers, and it's ID is 86F22317. Please use this key if you need to contact me.
For the sake of paranoia, I will be generating a master key on removable storage. This key will be used to create subkeys for encryption, signing, and authentication, and it will be stored on removable storage in a safe. To begin, you will need some clean removable media. I am using OS X, so my media will be mounted at /Volumes/UNTITLED\ 1/. Feel free to correct this path as appropriate for your environment.
First we will generate the key on the USB storage:
$ gpg --homedir /Volumes/UNTITLED\ 1/ --expert --gen-key
I use expert in this case to open up the option of setting custom capabilities for my keypair. By default, GPG will generate a key that can sign and certify with a separate subkey that can encrypt. I chose to create a master key that could only certify with subkeys that could encrypt and sign:
$ gpg --homedir /Volumes/UNTITLED\ 1/ --expert --gen-key
gpg: WARNING: unsafe permissions on homedir `/Volumes/UNTITLED\ 1/'
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: keyring `/Volumes/UNTITLED\ 1/secring.gpg' created
gpg: keyring `/Volumes/UNTITLED\ 1/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? e
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 4y
Key expires at Tue Apr 7 11:05:27 2020 PDT
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter)"
Real name: Peter H. Ezetta
Email address: protocall7@sdf.org
Comment:
You selected this USER-ID:
"Peter H. Ezetta"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.................+++++
.+++++
gpg: /Volumes/UNTITLED\ 1/trustdb.gpg: trustdb created
gpg: key 86F22317 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2020-04-04
pub 4096R/86F22317 2016-04-08 [expires: 2020-04-07]
Key fingerprint = E1D3 330D 0107 8360 5417 C337 33D5 14D6 86F2 2317
uid Peter H. Ezetta
gpg: WARNING: unsafe permissions on homedir `/Volumes/UNTITLED\ 1/'
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: keyring `/Volumes/UNTITLED\ 1/secring.gpg' created
gpg: keyring `/Volumes/UNTITLED\ 1/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 8
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? e
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
Key is valid for? (0) 4y
Key expires at Tue Apr 7 11:05:27 2020 PDT
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter)
Real name: Peter H. Ezetta
Email address: protocall7@sdf.org
Comment:
You selected this USER-ID:
"Peter H. Ezetta
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.................+++++
.+++++
gpg: /Volumes/UNTITLED\ 1/trustdb.gpg: trustdb created
gpg: key 86F22317 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2020-04-04
pub 4096R/86F22317 2016-04-08 [expires: 2020-04-07]
Key fingerprint = E1D3 330D 0107 8360 5417 C337 33D5 14D6 86F2 2317
uid Peter H. Ezetta
At this point, I have generated a new certify only key pair that exists only on the USB stick. Now I will edit the key to add UIDs and subkeys for encryption and signing:
$ gpg --homedir /Volumes/UNTITLED\ 1 --edit-key protocall7@sdf.org
gpg: WARNING: unsafe permissions on homedir `/Volumes/UNTITLED\ 1'
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 4096R/DDC547B9 created: 2016-04-08 expires: 2020-04-07 usage: C
trust: ultimate validity: ultimate
[ultimate] (1). Peter H. Ezetta
gpg> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Peter H. Ezetta"
4096-bit RSA key, ID DDC547B9, created 2016-04-08
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Sat Apr 8 11:12:15 2017 PDT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
............+++++
.........................+++++
pub 4096R/DDC547B9 created: 2016-04-08 expires: 2020-04-07 usage: C
trust: ultimate validity: ultimate
sub 4096R/3BCD5DA0 created: 2016-04-08 expires: 2017-04-08 usage: E
[ultimate] (1). Peter H. Ezetta
gpg> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Peter H. Ezetta"
4096-bit RSA key, ID DDC547B9, created 2016-04-08
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Sat Apr 8 11:12:43 2017 PDT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
......+++++
.............+++++
pub 4096R/DDC547B9 created: 2016-04-08 expires: 2020-04-07 usage: C
trust: ultimate validity: ultimate
sub 4096R/3BCD5DA0 created: 2016-04-08 expires: 2017-04-08 usage: E
sub 4096R/A5FA0D33 created: 2016-04-08 expires: 2017-04-08 usage: S
[ultimate] (1). Peter H. Ezetta
gpg> adduid
Real name: Peter H. Ezetta
Email address: protocall7@gmail.com
Comment:
You selected this USER-ID:
"Peter H. Ezetta"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a passphrase to unlock the secret key for
user: "Peter H. Ezetta"
4096-bit RSA key, ID DDC547B9, created 2016-04-08
pub 4096R/DDC547B9 created: 2016-04-08 expires: 2020-04-07 usage: C
trust: ultimate validity: ultimate
sub 4096R/3BCD5DA0 created: 2016-04-08 expires: 2017-04-08 usage: E
sub 4096R/A5FA0D33 created: 2016-04-08 expires: 2017-04-08 usage: S
[ultimate] (1) Peter H. Ezetta
[ unknown] (2). Peter H. Ezetta
gpg> save
Now that the key has been generated on the USB stick, I create a revocation certificate just in case the key is lost of compromised. This certificate should be closely guarded, as it will render the key useless, however you should maintain more than one copy of it in case it is necessary to use it. A paper copy is recommended.
gpg --output /Volumes/UNTITLED\ 1/86F22317-revocation.asc --home /Volumes/UNTITLED\ 1 --gen-revoke protocall7@sdf.org
gpg: WARNING: unsafe permissions on homedir `/Volumes/UNTITLED\ 1'
sec 4096R/DDC547B9 2016-04-08 Peter H. Ezetta
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
> Revocation certificate generated at time of key creation. If this certificate is in use, it is likely I have lost access to the secret key.
>
Reason for revocation: No reason specified
Revocation certificate generated at time of key creation. If this certificate is in use, it is likely I have lost access to the secret key.
Is this okay? (y/N) y
You need a passphrase to unlock the secret key for
user: "Peter H. Ezetta"
4096-bit RSA key, ID DDC547B9, created 2016-04-08
ASCII armored output forced.
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
The revocation certificate and key-pair exist only on the USB stick. At this point, we need to import the secret subkeys to the local machine (leaving the secret key on the USB stick for safe keeping). This can be done by exporting the secret subkeys, then importing them without --homedir:
$ gpg --homedir /Volumes/UNTITLED\ 1 --export-secret-subkeys protocall7@sdf.org > /Volumes/UNTITLED\ 1/secretsubkeys.gpg
$ gpg --homedir /Volumes/UNTITLED\ 1 --export protocall7@sdf.org > /Volumes/UNTITLED\ 1/publickey.gpg
$ gpg --import /Volumes/UNTITLED\ 1/publickey.gpg
gpg: key DDC547B9: public key "Peter H. Ezetta" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
$ gpg --import /Volumes/UNTITLED\ 1/secretsubkeys.gpg
gpg: key DDC547B9: secret key imported
gpg: key DDC547B9: "Peter H. Ezetta" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
$ gpg -K
/Users/peter.ezetta/.gnupg/secring.gpg
--------------------------------------
sec# 4096R/DDC547B9 2016-04-08 [expires: 2020-04-07]
uid Peter H. Ezetta
uid Peter H. Ezetta
ssb 4096R/3BCD5DA0 2016-04-08
ssb 4096R/A5FA0D33 2016-04-08
From this, we see that the local copy of GPG has our secret subkeys in it's ring, but the secret key itself is missing (this is evidenced by the # after 'sec'). With the subkeys in place, encryption and signing still work just fine, but if a key needs to be created, revoked, or signed, the USB stick will have to be mounted up and --homedir will need to be added to gpg to point into the backup copy. For demonstration purposes, here is the secret key output using the USB stick. Notice that the secret key is present on this one:
$ gpg --homedir /Volumes/UNTITLED\ 1 -K
gpg: WARNING: unsafe permissions on homedir `/Volumes/UNTITLED\ 1'
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2020-04-07
/Volumes/UNTITLED\ 1/secring.gpg
----------------------
sec 4096R/DDC547B9 2016-04-08 [expires: 2020-04-07]
uid Peter H. Ezetta
uid Peter H. Ezetta
ssb 4096R/3BCD5DA0 2016-04-08
ssb 4096R/A5FA0D33 2016-04-08
In the next part of this series, I will discuss the web of trust and key signing, then introduce Pass, "the UNIX default password manager". Pass is backed by GPG encryption to keep your passwords safe, so now that keys have been set up, we can start using it.
Interesting Reading:
The GNU Privacy Handbook
Into The Void - Creating a new key with subkeys
Debian Wiki - Subkeys
$ gpg --homedir /Volumes/UNTITLED\ 1 --edit-key protocall7@sdf.org
gpg: WARNING: unsafe permissions on homedir `/Volumes/UNTITLED\ 1'
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 4096R/DDC547B9 created: 2016-04-08 expires: 2020-04-07 usage: C
trust: ultimate validity: ultimate
[ultimate] (1). Peter H. Ezetta
gpg> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Peter H. Ezetta
4096-bit RSA key, ID DDC547B9, created 2016-04-08
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
Key is valid for? (0) 1y
Key expires at Sat Apr 8 11:12:15 2017 PDT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
............+++++
.........................+++++
pub 4096R/DDC547B9 created: 2016-04-08 expires: 2020-04-07 usage: C
trust: ultimate validity: ultimate
sub 4096R/3BCD5DA0 created: 2016-04-08 expires: 2017-04-08 usage: E
[ultimate] (1). Peter H. Ezetta
gpg> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Peter H. Ezetta
4096-bit RSA key, ID DDC547B9, created 2016-04-08
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
Key is valid for? (0) 1y
Key expires at Sat Apr 8 11:12:43 2017 PDT
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
......+++++
.............+++++
pub 4096R/DDC547B9 created: 2016-04-08 expires: 2020-04-07 usage: C
trust: ultimate validity: ultimate
sub 4096R/3BCD5DA0 created: 2016-04-08 expires: 2017-04-08 usage: E
sub 4096R/A5FA0D33 created: 2016-04-08 expires: 2017-04-08 usage: S
[ultimate] (1). Peter H. Ezetta
gpg> adduid
Real name: Peter H. Ezetta
Email address: protocall7@gmail.com
Comment:
You selected this USER-ID:
"Peter H. Ezetta
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a passphrase to unlock the secret key for
user: "Peter H. Ezetta
4096-bit RSA key, ID DDC547B9, created 2016-04-08
pub 4096R/DDC547B9 created: 2016-04-08 expires: 2020-04-07 usage: C
trust: ultimate validity: ultimate
sub 4096R/3BCD5DA0 created: 2016-04-08 expires: 2017-04-08 usage: E
sub 4096R/A5FA0D33 created: 2016-04-08 expires: 2017-04-08 usage: S
[ultimate] (1) Peter H. Ezetta
[ unknown] (2). Peter H. Ezetta
gpg> save
Now that the key has been generated on the USB stick, I create a revocation certificate just in case the key is lost of compromised. This certificate should be closely guarded, as it will render the key useless, however you should maintain more than one copy of it in case it is necessary to use it. A paper copy is recommended.
gpg --output /Volumes/UNTITLED\ 1/86F22317-revocation.asc --home /Volumes/UNTITLED\ 1 --gen-revoke protocall7@sdf.org
gpg: WARNING: unsafe permissions on homedir `/Volumes/UNTITLED\ 1'
sec 4096R/DDC547B9 2016-04-08 Peter H. Ezetta
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
> Revocation certificate generated at time of key creation. If this certificate is in use, it is likely I have lost access to the secret key.
>
Reason for revocation: No reason specified
Revocation certificate generated at time of key creation. If this certificate is in use, it is likely I have lost access to the secret key.
Is this okay? (y/N) y
You need a passphrase to unlock the secret key for
user: "Peter H. Ezetta
4096-bit RSA key, ID DDC547B9, created 2016-04-08
ASCII armored output forced.
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
The revocation certificate and key-pair exist only on the USB stick. At this point, we need to import the secret subkeys to the local machine (leaving the secret key on the USB stick for safe keeping). This can be done by exporting the secret subkeys, then importing them without --homedir:
$ gpg --homedir /Volumes/UNTITLED\ 1 --export-secret-subkeys protocall7@sdf.org > /Volumes/UNTITLED\ 1/secretsubkeys.gpg
$ gpg --homedir /Volumes/UNTITLED\ 1 --export protocall7@sdf.org > /Volumes/UNTITLED\ 1/publickey.gpg
$ gpg --import /Volumes/UNTITLED\ 1/publickey.gpg
gpg: key DDC547B9: public key "Peter H. Ezetta
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
$ gpg --import /Volumes/UNTITLED\ 1/secretsubkeys.gpg
gpg: key DDC547B9: secret key imported
gpg: key DDC547B9: "Peter H. Ezetta
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
$ gpg -K
/Users/peter.ezetta/.gnupg/secring.gpg
--------------------------------------
sec# 4096R/DDC547B9 2016-04-08 [expires: 2020-04-07]
uid Peter H. Ezetta
uid Peter H. Ezetta
ssb 4096R/3BCD5DA0 2016-04-08
ssb 4096R/A5FA0D33 2016-04-08
From this, we see that the local copy of GPG has our secret subkeys in it's ring, but the secret key itself is missing (this is evidenced by the # after 'sec'). With the subkeys in place, encryption and signing still work just fine, but if a key needs to be created, revoked, or signed, the USB stick will have to be mounted up and --homedir will need to be added to gpg to point into the backup copy. For demonstration purposes, here is the secret key output using the USB stick. Notice that the secret key is present on this one:
$ gpg --homedir /Volumes/UNTITLED\ 1 -K
gpg: WARNING: unsafe permissions on homedir `/Volumes/UNTITLED\ 1'
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2020-04-07
/Volumes/UNTITLED\ 1/secring.gpg
----------------------
sec 4096R/DDC547B9 2016-04-08 [expires: 2020-04-07]
uid Peter H. Ezetta
uid Peter H. Ezetta
ssb 4096R/3BCD5DA0 2016-04-08
ssb 4096R/A5FA0D33 2016-04-08
In the next part of this series, I will discuss the web of trust and key signing, then introduce Pass, "the UNIX default password manager". Pass is backed by GPG encryption to keep your passwords safe, so now that keys have been set up, we can start using it.
Interesting Reading:
The GNU Privacy Handbook
Into The Void - Creating a new key with subkeys
Debian Wiki - Subkeys
No comments:
Post a Comment