Create GPG Primary Key Pairs

[OPTIONAL] Good To Have Dependency

These are some optional good to have dependencies for smoothening the key creation process.


Linux - haveged

if you're on Linux, open a new terminal and install haveged package, wait until the key is generated, then uninstall it.

$ sudo apt install haveged -y
$ # wait until gpg key is generated...
$ sudo apt purge haveged -y

Start GPG Key Generator

To create, you can start the GPG key generator. In this guide, we will be using advanced mode. The command is:

$ gpg --expert --full-gen-key

Select Certify Key

You will be presented with a list of options.

gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key

Your selection? 8

Please select "8" for "RSA (set your own capabilities)"


Rationale
Not all GPG supports ECC ciphers. Hence, for the sake of backwards compatibility, we will create the strongest RSA key available in the system.

If you insist on ECC, then you need to take the risk that your key may not work with all systems, especially those with GnuPG version 2.12 and below.

Also, this is to create "certify" key which is rarely used unless you're doing key signing. Therefore, it's okay to create with RSA key with the correct settings.

Toggle To Certify Capability Only

You will be presented with another options. You need to:

  1. Select "S", "E", and "A" numerously to toggle the capability on and off. The desired result is only left with "Certify".
  2. Once done, select "Q" to finish the setting.
Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Certify

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished
Your selection?

Select Maximum RSA Capability

Once done, you will be prompted for key size. For RSA, please keep it to maximum bits available. In the following example, it is 4096.

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096

Select Endless Expiry

Since this is a primary identity key, you may select "endless" expiry or choose your own. In the following example,

  1. it's 0.
  2. GPG will prompt for confirmation. Select y to confirm.
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

Enter Your Real Name

Like any identity card, please key in your REAL name. DO NOT enter comments or whatsoever (e.g. '(for work)') etc. Here is a good read up: https://debian-administration.org/users/dkg/weblog/97.

One good example for "John, Smith" with nickname "Shotgun" is:

GnuPG needs to construct a user ID to identify your key.

Real name: "Shotgun" John, Smith

Enter Your Email

Next, GPG will ask for an email. Please ensure you use a good email representing your name (TIP: avoid funny nicknames to prove your genuity and professionality).

One good example is:

Real name: "Shotgun" John Smith
Email address: john.smith@example.com

Enter Comment For This Primary Key

Once done, GPG will ask you to fill in a comment for this primary key. The comment is like "Driving License", "Social Security Number", "Identification Card", "Passport", etc. in our daily life.


Although you have the freedom, please avoid a few things:

  1. Stating that the key is for work or specific to an email.
    • Reason: you can create sub-keys for those and email identity can be added in multiple entry
  2. Stating nothing related to the key like "I like strawberries!"
    • Reason: it's your identification 'card'. Other can see that worldwide too. Hence, please be professional please.
  3. Nicknames
    • Reason: it should be inside your real name entry. Nickname are indicated by quote or parenthesis. E.g.
      1. "Shotgun" John, Smith
      2. (Shotgun) John, Smith
  4. Crypto information like "4096"
    • Reason: it is supposed to be subtle. Don't announce it to the public. The tool knows how to identify for you.
  5. Company Name
    • Reason: your company's email address is already self-explained. Hene, avoid it.

If you have no idea what to put in, just leave it blank. Empty comment is the greatest comment of all.


An example of comment would be:

Real name: "Shotgun", John Smith
Email address: john.smith@example.com
Comment: Main ID

Confirm the Identity

Once everything is done, you will need to confirm your identity. Here is an example:

You selected this USER-ID:
    "John Smith (Main ID) <john.smith@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

Please make triple sure about the presentation as it is seen from the public. If need to change it, select the parenthesized character to change them.

Once you're satisfied with the identity, you may proceed to press "O" to confirm.

Enter Passphrase

This is the key defensive mechanism. You're strongly advised to key in a very strong password to prevent others from using your key. A strong password should have:

  1. minimum 33 characters.
  2. Contains multiple 0-9, a-z, A-Z, and symbols.
  3. Not fully based on a known word or phrases.

You can also use a known password manager like LastPass to create that password. Here are some examples to tell good and bad:

#1 Password (Weak - Bad! Don't do it)
SerinaAbel

#2 Passphrase (weak - Bad! Don't do it)
you aren’t getting my password!!!

#3 Passphrase (Strong - Good for Human Memory Remembrance) 
Y0u Ar6n’t_Get1ing My P@$sw0rd!!!

#4 Password (Strong - Best. Use Password Manager for Remembrance)
E36d$DI3bTQ7aAGNMrQ5QO2Tu9TTR#$Yl
You can read more from (PDF) Descriptive Research for Access Management using Password. Available at: https://www.researchgate.net/publication/324648036_Descriptive_Research_for_Access_Management_using_Password [accessed Jan 10 2020].

Wait For Key Generation

Once everything is done, you may wait for the key to generate and save it into keyring automatically. Keep in mind that RSA-4096 requires a large amount of entropy so do something else on your desktop like streaming multiple Youtube, randomly left clicking on your desktop screen, randomly type stuff on the keyboard, etc. until the key is fully generated:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key F5EF57A0FB4EF0EF marked as ultimately trusted
gpg: directory '/home/u0/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/u0/.gnupg/openpgp-revocs.d/AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF.rev'
public and secret key created and signed.

pub   rsa4096 2020-01-10 [C]
      AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid                      "Shotgun" John, Smith (Main ID) <john.smith@email.com>

Verify Key Creation

Once done, you may verify the key creation using the following commands:

$ gpg --list-secret-keys --with-keygrip

You should get an output like the following:

...
---------------------------
sec   rsa4096 2020-01-10 [C]
      AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
      Keygrip = FF21221B3D6BA64B045D677C2D03EFB13FBB29BF
uid           [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>

That's all about creating GPG Primary Key Pairs. You may want to proceed to create sub-keys for signature, authenticate, and encrypt in order to properly use the identity key.