GPG Like A Ghost

signals.jpg

In the shadows, your keys are not just tools.
They are silent guardians - your signature, your protection.

Ghost-level OPSEC is a life style.

  • The master key lives offline, unseen, untouchable.
  • Subkeys move in the world, doing your bidding without exposing your heart.

Install GPG

sudo apt install gnupg2

No network whispers. Only the tool. Only control.

Forge the Master Key

gpg --full-gen-key
  • RSA, 4096 bits.
  • Expiration is protection.
  • Identity: Ghost Operator.
  • Comment: Silent operations.
  • Email: optional, OPSEC-friendly.
  • Passphrase: a vault in words.

Record it in KeepassXC. Offline. Hidden.

Establish Absolute Trust

Trust nothing. Except yourself. 

gpg --edit-key ghost@silent.org
  • In gpg prompt: trust.
  • Level 5.
  • save.

Subkeys: The Shadows You Send Out

Master key sleeps. Subkeys act. 

gpg --edit-key ghost@silent.org
  • addkey
  • Type: sign or encrypt.
  • 4096 bits.
  • Expiration.
  • save

View your sentinels: 

gpg --list-secret-keys ghost@silent.org

sec   rsa4096 2025-11-12 [SC] [expires: 2026-11-12]
      ABCD1234ABCD1234ABCD1234ABCD1234ABCD1234
uid           [ultimate] Ghost Operator (Silent Ops)  
ssb   rsa4096 2025-11-12 [E] [expires: 2026-11-12]
ssb   rsa4096 2025-11-12 [S] [expires: 2026-11-12]

Subkeys carry your work.

  • [E] for encryption.
  • [S] for signing.

Passphrase?
It belongs to the master. They never have their own.

Backup the Master

Offline. Locked. Sealed. 

gpg --armor --export-secret-keys ghost@silent.org > master_key.asc

Symmetric armor: 

gpg -c master_key.asc

Keep this in multiple secure places.
Test restore in a VM.
Only then, delete the master from active machines.

Backup Subkeys

Subkeys move, master sleeps. 

gpg --armor --export-secret-subkeys ghost@silent.org > subkeys.asc

gpg -c subkeys.asc

Secure backups.
Offline and online.
Redundancy is survival.

Remove Master from Active Machine

gpg --delete-secret-and-public-keys ghost@silent.org

Offline. Always. The guardian sleeps.

Deploy Subkeys on Clients

Subkeys act. Master remains unseen. 

gpg --import subkeys.asc

Capabilities:

  • Encrypt your data.
  • Decrypt with privacy.
  • Sign your work.

Check deployed subkeys: 

gpg --list-secret-keys --keyid-format LONG ghost@silent.org

sec#  rsa4096/DEADBEAFDEADBEAF 2025-11-12 [SC] [expires: 2026-11-12]
      ABCD1234ABCD1234ABCD1234ABCD1234ABCD1234
uid                 [ unknown] Ghost Operator (Silent Ops)  
ssb   rsa4096/FEEDC0DEFEEDC0DE 2025-11-12 [E] [expires: 2026-11-12]

sec# = master not present. Subkeys alone.

Only the master can reshape the shadows.

Backup Strategy

  1. Master key
    • USB (LUKS, offline)
    • Encrypted cloud (symmetric, e.g. ProtonPass)
  2. Subkeys
    • Offline vault (KeepassXC)
    • Encrypted cloud (ProtonDrive)
    • Subkeys are managed via the master; the master remains sealed when not actively needed.

Overhead is minimal.
Control is total.
Subkeys can be restored without touching the sleeping master.

[ Fear the Silence. Fear the Switch. ]