As mentioned earlier, this is an article in which I’ll mention how my GPG keys are set up.

Master Key

My master key is generated and used on an air-gapped old laptop running a Tails OS live USB. The key never left the device except for a few CD and Paperkey encryped backups.


The subkeys (i.e. for code signing, email encryption, …etc) are generated on the air gap, encrypted with a random passphrase, and made into Data Matrix patterns via dmtx-utils. The matrices are then read by my smartphone and copied to my main box running Qubes OS via a USB drive. The data is copied from the UsbVm to a network-less VM, where its SHA512 checksum is compared and the content decrypted. The keys are then moved to corresponding vault VMs, and are later used via Split GPG.

Note that due to the reasons mentioned here, the keys use empty passphrases.

Public Key Distribution

The following are the places where I share my public keys. Note that if you’re verifying this blog, you should not trust the list blindly since an attacker messing around with the blog can always modify the list.