|
|
## Requirements
|
|
|
|
|
|
- Meet all [best practices for key holders](best-practices#key-holder)
|
|
|
- Meet all [best practices for generating a new key pair](best-practices#generating-a-new-key-pair)
|
|
|
- The key pair must contain at least one user ID with a valid `<username>@archlinux.org` email address
|
|
|
|
|
|
## Workflow
|
|
|
1. Make sure to read the respective requirements and reach out to fellow team members if something is unclear
|
|
|
2. If not already set up, request an `archlinux.org` email address by opening a ticket in the [infrastructure repository](https://gitlab.archlinux.org/archlinux/infrastructure/)
|
|
|
- Validate you can send and receive mails
|
|
|
3. Generate the key pair
|
|
|
- Boot into a live medium
|
|
|
- Generate a key pair (and revocation certificate) according to the requirements
|
|
|
- `gpg --full-gen-key --expert`
|
|
|
- ECC Curve25519
|
|
|
- Select "ECC and ECC"
|
|
|
- Select "Curve 25519"
|
|
|
- RSA
|
|
|
- Select "RSA and RSA"
|
|
|
- Set keysize to `4096`
|
|
|
- Set subkey keysize to `4096`
|
|
|
- Select an expiration date
|
|
|
- Enter real name: `<first name> <last name>`
|
|
|
- Enter email address: `<user name>@archlinux.org`
|
|
|
- Enter strong password for key pair
|
|
|
4. Backup the key pair and automatically generated revocation certificate according to the requirements
|
|
|
- `gpg --output /mnt/encrypted_backup/secret.key --armor --export-secret-keys`
|
|
|
- `gpg --output /mnt/encrypted_backup/public.asc --armor --export`
|
|
|
- `cp /root/.gnupg/openpgp-revocs.d/*.rev /mnt/encrypted_backup/`
|
|
|
5. Move the key pair to the hardware token (deletes key from local keychain!)
|
|
|
- `gpg --edit-key --expert <key ID>`
|
|
|
- Enter `keytocard` and acknowledge with `y`
|
|
|
- Select "Signature key"
|
|
|
- Move optional subkeys
|
|
|
- Select an optional encryption key (subkey): `key <subkey number>`
|
|
|
- Enter `keytocard` and acknowledge with `y`
|
|
|
- Select "Encryption key"
|
|
|
- Select an optional authentication key (subkey): `key <subkey number>`
|
|
|
- Enter `keytocard` and acknowledge with `y`
|
|
|
- Select "Authentication key"
|
|
|
- Enter `quit` and acknowledge with `y`
|
|
|
6. Upload public key to keyserver infrastructure
|
|
|
- `gpg --keyserver search.keyserver.net --send-key <key ID>` |
|
|
\ No newline at end of file |