Protecting your keypair on a laptop is tricky. On one hand, you need your private key with you to decrypt or sign messages.

On the other hand, if your laptop is stolen then you risk losing your entire online identity, perhaps going back years, because the thief would have access to your private key and could then impersonate you.

You’d think that today, where laptops and world travel are commonplace, there’d be a little more information on how to secure a private key you have to travel with. But I could only find one resource: the Debian Wiki entry on subkeys. Fortunately it turns out this wiki page has exactly the solution we need.

Subkeys help protect your identity in case of private key (laptop) theft

If a thief gets ahold of the laptop with your private key on it, it’s pretty much game over. The thief can not only decrypt messages intended for you, they can also impersonate you by signing messages with your private key. Your only recourse would be to revoke your key, but that would mean losing years of signatures on that key and basically creating a massive inconvenience for yourself.

Part of the answer to this problem is the concept of subkeys. Subkeys can’t prevent a thief from decrypting messages intended for your private key. But they can help mitigate the damage to your identity should your key be lost or stolen.

The concept behind this technique is as follows:

  1. Create a regular GPG keypair. By default GPG creates one signing subkey (your identity) and one encryption subkey (how you receive messages intended for you).
  2. Use GPG to add an additional signing subkey to your keypair. This new subkey is linked to the first signing key. Now we have three subkeys.
  3. This keypair is your master keypair. Store it in a protected place like your house or a safe-deposit box. Your master keypair is the one whose loss would be truly catastrophic.
  4. Copy your master keypair to your laptop. Then use GPG to remove the original signing subkey, leaving only the new signing subkey and the encryption subkey. This transforms your master keypair into your laptop keypair.

Your laptop keypair is what you’ll use for day-to-day GPG usage.

What’s the benefit to this setup? Since your master keypair isn’t stored on your traveling laptop, that means you can revoke the subkeys on your laptop should your laptop be stolen. Since you’re not revoking the original subkey you created in the master keypair—remember, we removed it from our laptop’s keypair—that means you don’t have to create a new keypair and go through the hassle of getting people to sign it again. You’d still have to revoke the stolen subkey, and the thief could still use the encryption subkey to decrypt any messages you’ve already received, but at least the damage done won’t be as catastrophic.

Further intructions in the original post.