The Utilmate Gpg Key: Generated with a Trezor Wallet

Fri, Aug 21, 2020 4-minute read

Using a Trezor Wallet for GPG Key Generation

The Trezor wallet, renowned for its robust security, also serves as a tool for GPG key generation. As stated in the Trezor wiki:

“GPG Trezor integration provides users with capabilities to sign emails, git commits, and software packages, manage passwords, authenticate web tunnels or file transfers, encrypt files, and more.”

The generated GPG keys reside on the Trezor device, negating the need for decryption with a passphrase on your computer. In cases of device theft or damage, the keys can be restored on a new device using the recovery seed.


  1. Generate a primary key pair using a Trezor wallet
  2. Utilize modern and robust cryptography: ed25519 for signing and authentication, and Curve25519 for encryption
  3. Add multiple UIDs to our key pair for each email address
  4. Include an ID photo within our GPG key
  5. Distribute our key pair onto widely used key servers


  • gpg2
  • trezor-gpg

Thoroughly read the official documentation from Trezor and the developer of the GPG agent to understand its workings, benefits, and associated precautions.

Trezor wiki

GPG agent on Github

Key Pair Generation with Trezor Wallet

The private key, derived from the wallet’s seed, remains on the Trezor wallet, making it act as a GPG key card. This method is significantly more secure than on-disk storage of your private key, which is susceptible to theft and compromises.

Generate keys for your primary identity associated with a primary email address using this command:

trezor-gpg init "Your Name <>" -v -e ed25519

Environment Setup

At this point, keys are stored in the directory ~/.gnupg/trezor. To allow gpg2 to recognize them, set the directory as an environment variable. Make this change permanent by adding the export command to your shell’s configuration file (.bashrc or .zshrc).

export GNUPGHOME=~/.gnupg/trezor
echo "export GNUPGHOME=~/.gnupg/trezor" >> ~/.zshrc

Adding Additional UIDs

For multiple email addresses, add them to your key pair, avoiding the need for generating and publishing new key pairs for each email address.

gpg2 --edit-key "Your Name"
gpg> adduid
Real name: Your Name
Email address:
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg> save

Marking Primary UID

Select the UID to be marked as primary.

gpg> uid 1
gpg> primary
gpg> save

Adding a Photo to Key Pair

The addition of a photo to your key pair can enhance your identification, especially for cross-signing purposes. Choose a recommended dimension of 240 x 288 pixels, and convert the photo to JPEG format. The file size should be less than 32KB for compatibility with older GPG implementations.

gpg2 --edit-key "Your Name"
gpg> addphoto
Enter JPEG filename for photo ID: /path/to/photo.jpg
Is this photo correct (y/N/q)? y
gpg> save

Making Your Key Publicly Accessible

Now that your key pair has been finely tuned, it’s time to disseminate it so others can use it to verify your identity and send you encrypted messages. A popular way to achieve this is by uploading your key to a key server that distributes PGP keys.

There are several reliable key servers you could consider for this purpose:

  • MIT Key Server:
  • OpenPGP Key Server:
  • Ubuntu Key Server:
  • SKS Keyservers:

The MIT server is a widely respected option, given its longevity and the fact that many other servers synchronize with it. The Ubuntu and OpenPGP servers are among the newer ones and also come highly recommended. SKS Keyservers is another robust choice, known as an institution that other servers frequently synchronize with.

To upload your key to one of these servers, you would use the following command, replacing “keyserver-address” with the address of your chosen server and “Your Name” with the name you used when creating your key:

gpg2 --keyserver hkps://keyserver-address --send-keys "Your Name"

Executing this command will publish your key to the server, making it publicly accessible for anyone who wants to communicate securely with you.

Key Revocation Certificate

Create a revocation certificate for your key pair. This certificate is used to revoke your key pair in case it’s lost, stolen, or compromised.

gpg2 --output revoke.asc --gen-revoke "Your Name"

Store this certificate in a secure location. It can be detrimental if it falls into the wrong hands, as anyone possessing it can revoke your key.

That’s all!

And that’s all! Now you have a highly secure GPG key pair, generated using your Trezor wallet, enriched with multiple UIDs, and even a personal photo for easy identification.