Amrith Vengalath

How to create a GPG key pair

· Amrith Vengalath

How to create a GPG key pair

There are many uses for gpg, like signing/encrypting emails, signing commits, linux password store, use gpg as ssh agent etc.

This is similar to creating ssh key where you choose key size, specify an identifier, and set a passphrase. There will be a public key (which you share with everyone) and a private key (stored securely).

Here we will create a key to Certify and then sub keys to sign, encrypt and Authenticate.

Generating the master key

For this key, we only want Certify capability. We use this master key only to create the subkeys with capabilities to Sign – Encrypt – Authenticate.

Run the following command in your terminal to begin

gpg --full-generate-key --expert

Now type 8 to select the option – RSA (set your own capabilities)

amrith@V ~ % gpg --full-generate-key --expert
gpg (GnuPG/MacGPG2) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/Users/amrith/.gnupg' created
gpg: keybox '/Users/amrith/.gnupg/pubring.kbx' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(13) Existing key
(14) Existing key from card
Your selection? 8

Now type s to disable sign capability for the key.

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? S

Now type E to disable the encrypt capabilities for this key.

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? E

Now type Q to quit the toggle process and continue.

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? Q

Enter the desired key size for your master key.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits

Set the expiration for your master key.

Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Fri Jun 24 14:13:15 2022 IST
Is this correct? (y/N) y

Construct your user ID (input your full name and email, leave the comment empty). Then type O to complete.

GnuPG needs to construct a user ID to identify your key.

Real name: Amrith Vengalath
Email address: [email protected]
Comment:
You selected this USER-ID:
"Amrith Vengalath <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Enter a passphrase for your master key.

┌──────────────────────────────────────────────────────┐
│ Please enter the passphrase to │
│ protect your new key │
│ │
│ Passphrase: **\*\***\*\*\*\***\*\***\*\*\*\***\*\***\*\*\*\***\*\*** │
│ │
│ <OK> <Cancel> │
└──────────────────────────────────────────────────────┘

If you did the above steps correctly, you should have the following result.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /Users/amrith/.gnupg/trustdb.gpg: trustdb created
gpg: key ED15BADA58E13002 marked as ultimately trusted
gpg: directory '/Users/amrith/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/Users/amrith/.gnupg/openpgp-revocs.d/C1B6013E0F6B140F876C4AE5ED15BADA58E13002.rev'
public and secret key created and signed.

pub rsa4096 2021-06-24 [C] [expires: 2022-06-24]
C1B6013E0F6B140F876C4AE5ED15BADA58E13002
uid Amrith Vengalath <[email protected]>

Store the revocation certificate (created by GPG) for your master key on a physical device.

Generate Sign, Encrypt and Authentication subkeys

You may create three subkeys. one to sign (S), another for encryption (E), and one for Authentication.

Run this command to edit your key. Replace the word Amrith with your userID, email or key ID.

amrith@V ~ % gpg --expert --edit-key Amrith
gpg (GnuPG/MacGPG2) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2022-06-24
sec rsa4096/ED15BADA58E13002
created: 2021-06-24 expires: 2022-06-24 usage: C
trust: ultimate validity: ultimate
[ultimate] (1). Amrith Vengalath <[email protected]>

In the GPG console prompt, specify that you want to add a new key for that master key.

gpg> addkey

Select the set your capabilities creation process (type 8)

Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
(14) Existing key from card
Your selection? 8

You may continue as you desire. If you only need one subkey with Sign, Encryption, and Authentication capabilities. Type A to toggle Authentication capability. Sign and Encrypt capabilities are already enabled by default. Or you may type E to turn off encryption and create a key with only signing capability. Then create Encryption and Authentication keys separately by repeating the add key command.

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? A

Type Q to continue the process.

Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt Authenticate

(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished

Your selection? Q

Input the desired key size for the subkey.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits

Setup the expiration for the subkey.

Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Fri Jun 24 14:17:16 2022 IST
Is this correct? (y/N) y
Really create? (y/N) y

Input the passphrase for the master key (the one you set up in the primary key generation process). You should get this result.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec rsa4096/ED15BADA58E13002
created: 2021-06-24 expires: 2022-06-24 usage: C
trust: ultimate validity: ultimate
ssb rsa4096/99067D8DFE5EF249
created: 2021-06-24 expires: 2022-06-24 usage: SEA
[ultimate] (1). Amrith Vengalath <[email protected]>

Save and exit

gpg> save

Now if you list your keys you will see also a subkey (sub) with SEA capabilities (Sign – Encrypt – Authenticate). You may use different sub-keys for Signing, Encrypt and Authentication. You can only have one key with Encryption capability.

amrith@V ~ % gpg --list-keys
/Users/amrith/.gnupg/pubring.kbx

---

pub rsa4096 2021-06-24 [C] [expires: 2022-06-24]
C1B6013E0F6B140F876C4AE5ED15BADA58E13002
uid [ultimate] Amrith Vengalath <[email protected]>
sub rsa4096 2021-06-24 [SEA] [expires: 2022-06-24]

Export the secretkey and store somewhere safe

You should export the secret keys and store them somewhere safe, preferabily an offline medium. These keys should be kept somewhere safe and shouldn’t share with others.

gpg -o private-key.gpg --export-secret-keys Amrith

Replace the word Amrith with your username,email or keyID.

Now export the secret subkeys.

gpg -o secret-sub.key --export-secret-subkeys Amrith

Delete the secretkeys and import only the secret subkeys to your device.

gpg --delete-secret-key Amrith

gpg --import secret-sub.key

v@v ~ % gpg -K
/Users/v/.gnupg/pubring.kbx

---

sec# rsa4096 2021-02-07 [SC] [expires: 2031-02-07]
10B0C3E9867BC44CDA48690C8678CFE303EBDB52
uid [ultimate] Amrith P. Vengalath <[email protected]>
ssb rsa4096 2021-02-09 [S] [expires: 2023-02-09]
ssb rsa4096 2021-02-07 [E] [expires: 2023-02-09]
ssb rsa4096 2021-02-10 [A] [expires: 2023-02-10]

If only the subkeys are imported you will see sec# instead of sec when you list the secret keys.