key management – How can I store and manage my GPG key pair securely?

I’ve taken measures and thoughts on how to securely store and manage my key pair. In the process of it a few questions arose, which I’m not capable of answering yet. My key pair will be used to encrypt passwords and documents of banks, insurances, invoices, photos and the like. All this data is not publicly available. It is stored in a cloud with password restricted access. I’m evaluating right now, which one fits best.

This is how I set up my key pair:

# Generated a key pair in the past, following general tutorials
gpg> list
sec rsa2048/9AB628FC04C23871
    created: 2019-02-29 expires: 2022-02-29 usage: SC
    trust: ultimate    validity: ultimate
ssb rsa2048/17832C40CF826BA9
    created: 2019-02-29 expires: 2022-02-29 usage: E
( ultimate ) (1). Thomas Kelly <>

> gpg --list-keys --with-fingerprint
pub    rsa2048 2019-02-29 (SC) (expires: 2022-02-29)
       B69A 8371 FC28 402C C204 82CF 7138 A96B B8F4 C87A
uid         ( ultimate ) Thomas Kelly <>
sub    rsa2048 2019-02-29 (E) (expires: 2022-02-29)

> fdisk /dev/sdb # n, 2048, +2G, w
> cryptsetup open --type plain -d /dev/urandom /dev/sdb1 data
> dd if=/dev/zero of=/dev/mapper/data status=progress bs=1M
> cryptsetup close data
> cryptsetup luksFormat /dev/sdb1 # pw ...
> sudo cryptsetup open /dev/sdb1 data
> mkfs.ext4 /dev/mapper/data

Then I went on and exported my keys towards this device, I’ve created. After I got used to it, that private keys are always a little bit different from another and you can’t export your sub-public key, the following questions remained:

  1. Are both of the following commands returning the ssb key (17832C40CF826BA9)?
gpg --export-secret-keys 17832C40CF826BA9
gpg --export-secret-subkeys 9AB628FC04C23871
  1. Is it fine to remove the key 9AB628FC04C23871 from my system, after I backed it up on the drive, created above?

  2. Should I save a revocation certificate with it?

  3. This key pair once expired and I changed the expire date. I can’t remember correctly, but I’ve found two additional certificates lying around that seem to be these old expires certificates. I’ve read that the process of changing the expiring value creates new certificates. Can you confirm this?

  4. I want to have two certificate stores like this on different locations. I’d renew the key on a yearly base. Should I use paperkey or the same digital method above?