This HOWTO details the process of creating an OpenPGP keypair for use with GnuPG on an airgapped system (using Tails) and exporting the subkeys for day-to-day use. If you would like to export the subkeys to an OpenPGP smartcard, then you should still follow the first part of this guide, and then you will be linked to a second guide to complete the process.

This tutorial is aimed at advanced users! If you are not yet familiar and comfortable with OpenPGP concepts, this may not be for you.


If you are using an OpenPGP smartcard, please check the OpenPGP smartcards page to see if there is any set up required before starting this process.

Configuring your environment

The master key will be generated and only ever used within an airgapped environment. Begin by powering off your computer, removing any network connections and disabling any wireless interfaces if possible. Once you are happy that your machine will not be able to talk to the outside world, proceed to boot from the Tails USB stick.

For the first boot, the default settings are fine. You will need to create a persistent volume on the Tails USB stick and this is where your generated key will be stored. This volume is encrypted and is only decrypted when you enter the passphrase on boot.

To start the persistent volume assistant, choose Applications ▸ Tails ▸ Configure persistent volume. You will need to select GnuPG from the list to ensure that your GnuPG keyrings are stored in the persistent volume.

Once you have entered a passphrase and the persistent volume has been created, you will need to reboot your machine, and boot again from the Tails USB stick. This time when you boot you will be asked for the persistent volume passphrase to unlock and mount it.

You should also select the extra options and set a sudo password if you are using a smartcard to store your subkeys.

Key Generation

Now that you're running Tails and you have your persistent volume set up, you are ready to generate your key. Start by running:

$ gpg2 --full-gen-key

You will be asked what kind of key you would like to generate. Select option 4 for a single sign-only RSA key pair.

Your selection? 4

You will then be asked what key size you would like. You should enter 4096, the preferred keysize by keyring-maint.

What keysize do you want? (2048) 4096

You will then be asked for the length of time the key should remain valid. For a master key, 1 year is a reasonable time. The expiry date can be changed after the key is created and is not fixed, but access to the secret part of the master key is required to do this. This means that there is some weak protection against the loss of both the secret key and any revocation certificates you have as they key will expire and will not be floating around forever.

Key is valid for? (0) 1y
Key expires at a date and time 1 year in the future.
Is this correct? (y/N) y

You will then need to input the information to construct a user ID to identify your key. This information will be used to form the first UID on the key, though more UIDs can be added later.

It is generally a good idea to leave the Comment field blank as when it comes to keysigning, others may not be able to validate what you have placed in the Comment field and thus won't be willing to sign your key.

Here is an example, you should change these details to your own:

Real name: Bob Meowington
Email address:

You will then be asked to review your UID and accept it. If all is good, enter O to continue.

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You will now be asked to enter a passphrase and then confirm it, and then your key will be created.

Adding Extra UIDs

You'll need to now open the key for editing. Start by running:

gpg2 --expert --edit-key 0xKEYID

For each UID you need to add, use the adduid command:

gpg> adduid

This process is the same as for when you added the first UID. You will be required to enter your passphrase to self-sign each UID as you add them.

Adding Subkeys

You'll need to create at least two, optionally three subkeys. If you're planning to use an OpenPGP smartcard, you may need to create subkeys with a keysize of 2048 instead of 4096 bits. Consult your smartcards documentation to determine the maximum keysize you can use.

To create the encryption and signing subkeys, use the addkey command. Select option 4 for the signing key and option 6 for the encryption key.

gpg> addkey

If you plan to use this key for SSH authentication also, run the addkey command again and select option 8. Toggle the settings until only authentication is selected and this will create a key suitable for use with SSH.

If you've created an authentication subkey, make a note of the ID of the subkey as you will need it later to export a public key for it.

You should now save the changes you have made to the key:

gpg> save

Your key is now created.

Export Revocation Certificate

Insert your second USB stick for storing your revocation certificate. You can generate the revocation certificate with:

gpg2 --gen-revoke 0xKEYID > /media/<usbstick>/revoke.gpg

You'll need to replace 0xKEYID with your master key's ID and <usbstick> with the name of the mountpoint.

Once you've got the revocation certificate saved on the USB stick, eject it and keep it in a safe place.

Export Public Keys

Insert your third USB stick for transferring data to your day-to-day environment. You can export your public key with:

gpg2 --export 0xKEYID > /media/<usbstick>/public.gpg

If you've also created an authentication key, you'll want to export an SSH public key too:

gpgkey2ssh SUBKEYID > /media/<mountpoint>/

You must pass the ID of the subkey not the master key to this program.

Export Secret Keys

If you plan to use a smartcard to hold your secret subkeys, you should now stop following this tutorial and instead start following the instructions on the smartcard subkeys page.

If you're not using a smartcard:

gpg2 --export-secret-subkeys 0xKEYID > /media/<mountpoint>/secret.gpg

The secret key for the master key will not be exported and will only be saved on the airgapped Tails USB stick in the persistent volume.

You can now eject the third USB stick and reboot your machine, ensuring that you remove the Tails USB stick when instructed.

Importing the Public Keys and Private Subkeys

Once logged into your day-to-day environment, insert the USB stick with the public keys and private subkeys. To import the key data:

gpg2 --import < /media/<mountpoint>/public.gpg
gpg2 --import < /media/<mountpoint>/secret.gpg

You will then need to set the trust in your key to ultimate. Run:

gpg2 --edit-key 0xKEYID

Use the trust command to edit the trust level in the key. You don't need to save once the trust-db is updated and you can then quit the GnuPG shell.

Save your SSH public key somewhere, ~/.ssh/ is a suggested location if you do not already have a public key present as tools like ssh-copy-id will be able to take advantage of it there.

Make sure you keep your Tails USB stick and your backup revocation certificate USB stick in a safe place! Without the Tails USB stick you will not be able to change the expiry date of the key, sign other keys or add/revoke subkeys.

See also