Keys

GPG Keys

GPG keys are the foundation of how this password manager keeps your data secure. Every password you store is protected using a pair of cryptographic keys that work together, but serve very different purposes.

Overview of GPG Keys

public keys

A public key is used to encrypt your passwords. Think of it as a lock that anyone is allowed to use. You can share your public key freely—other tools or devices can use it to encrypt data that only you will be able to unlock later. Sharing it does not expose any sensitive information.

Private Keys

A private key is used to decrypt your passwords. This is the key that actually unlocks your encrypted data. Because it grants access to everything you protect with GPG, it must be kept extremely secure. Treat your private key with the same level of care you would give to your car keys or credit card. Losing control of it means losing control of your encrypted information.

Together, these two keys enable secure, end‑to‑end protection of your passwords without ever exposing the sensitive parts of your encryption setup.

A GPG key is made up of one or more sub-keys. Each subkey is responsible for a specific task e.g. authentication, signing, encrypting etc. More on subkeys below when we discuss moving keys to cards and yubikeys.

Generating GPG Keys

There are several ways to create GPG keys. On Windows, for example, GPG4Win provides graphical tools that many users find convenient. However, this guide focuses on the terminal method, since it works the same way across all major operating systems.

Open a terminal. Any shell works: Bash, Zsh, PowerShell, or your OS’s built‑in terminal.

gpg --full-generate-key

You can safely follow the recommended defaults as you move through the prompts.

When entering your Real Name, choose something meaningful. It doesn’t need to be your full legal name, but it should be something you’ll recognise as belonging to you.

For password‑management purposes, you do not need to enter an email address, if you don't want to.

Below is an example of what the interactive process looks like:

gpg (GnuPG) 2.4.4; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (14) Existing key from card
Your selection? 
Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (4) NIST P-384
   (6) Brainpool P-256
Your selection? 
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: H
E-mail address: 
Comment: 
You selected this USER-ID:
    "H"

Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilise the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilise the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Once your key has been created, you can view your public key with:

gpg --list-public-keys

sec   ed25519 2025-12-12 [SC]
      32C507977CDBCA9C4356463F469AC6E622852041
uid           [ultimate] H
ssb   cv25519 2025-12-12 [E]

Linking GPG Keys to Passwords

From the output of gpg -K you'll be able to find the key ID. In the example above, the Key ID is 32C507977CDBCA9C4356463F469AC6E622852041

This is the information GPG Key ID which is entered in the Key List dialog box after pressing the Link Key buton.

Your GPG Keys are never stored in Passwords. They are only linked for the purpose of making the encryption process less error prone by using the wrong key(s). Your GPG keyring may have many keys in it, but only linked keys will appear in Passwords.

You may link as many GPG Keys to Passwords as you like. But remember:

You must also have the private key in your GPG keyring in order to decrypt the password.
You will also need any passphrase you set in order to decrypt passwords.

Backing Up GPG Keys

You should never risk losing your GPG keys—especially your private key. It cannot be recreated or recovered. Without it, you will never be able to decrypt your passwords again. This isn’t a matter of difficulty or cost; it is mathematically impossible for anyone—individuals, companies, or governments—to break this encryption with current technology.

To make a backup of your key, run:

gpg --export-secret-keys KEYID > full-backup.asc

Store the resulting file, full-backup.asc, offline and securely. Many people keep multiple backups in different safe locations. Some even print the key as a paper backup, though this approach comes with its own risks and should be considered carefully.

Cards and Yubikeys

You can move your GPG subkeys onto a YubiKey or any other compatible smartcard device. Once moved, the private subkeys live only on the device, adding an extra layer of security to your passwords. With this setup, you must physically have the device and know your passphrase in order to decrypt passwords.

To move a key onto a Yubikey or similar:

gpg --edit-key KEYID

# select the encryption subkey
# it will be labled: usage: E
key 2

keytocard

# choose the encryption slot if prompted

save

Once moved, subkeys cannot be extracted back from the YubiKey.
Always ensure you have a secure backup of your public and private keys before moving anything.
You can repeat the same process to move other subkeys (e.g., signing or authentication) to their respective slots.

If you move your subkey onto a Yubikey, you will be prompted to insert the yubikey and enter the passphrase when trying to decrypt passwords.