GPG-HD is a deterministic full GPG keychain (CA key + 3 subkeys) generator using an input seed such as a BIP-39 phrase. It also automates writing this keychain to Yubikeys and generates public SSH keys. For those who don't want their digital identity to be tied to physical media in case of theft/loss/or electronic failure. This Idea was prompted by electrum, DJB's blog Entropy Attacks, and Arttu Kasvio's deterministic GPG key project.
- gpg
- monkeysphere
- python3-crypto
- python3-pexpect
sudo apt-get install gpg monkeysphere python3-crypto python3-pexpect make
Or if you're really lazy:
make install
(will need sudo elevation)
./gpg-hd -h
./gpg-hd "some awesome BIP-39 seed ..." [--card]
./gpg-hd --name="Satoshi Nakamoto" --email="[email protected]" [--card] "some awesome BIP-39 seed phrase ..."
If the argument --card
is supplied then GPG-HD will attempt to write the three subkeys (Encryption, Auth, Sig) to a card such as a Yubikey.
By default GPG-HD uses 1970-01-1 (Unix epoch of 1 second) to signal a deterministic keychain. Optionally one can over-ride this with --date=unix_time_in_secs
while key expirations are defaulted to 2 years.
Private and Public GPG keychain files + SSH public key are located in the keys
sub-directory.
If on a non-debian system, you can easily test with docker (needs to be installed):
make docker-test
On an airgap machine, use a safe brainwallet such as PortalWallet to generate a BIP-39 phrase:
SEED = portalwallet("satoshi")
SEED="fetch december jazz hood pact owner cloth apart impact then person actual"
./gpg-hd $SEED --name="satoshi" --email="[email protected]"
or
./gpg-hd $SEED --name="satoshi" --email="[email protected]" --card
will create a yubikey (which you can also use for SSH authentication along with the exported SSH key)