A primary key with only "certify
" ability won't be able to do much unless there are some other keypairs for different functions such as sign, authenticate, and encrypt. This section guides you on how to create these sub-keypairs.
These are some optional good to have dependencies for smoothening the key creation process.
if you're on Linux, open a new terminal and install haveged
package, wait until the key is generated, then uninstall it.
$ sudo apt install haveged -y
$ # wait until gpg key is generated...
$ sudo apt purge haveged -y
For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:
$ gpg --list-secret-keys
Example:
$ gpg --list-secret-keys
...
---------------------------
sec rsa4096 2020-01-10 [C]
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
You want to observe the key with [C
] capability and the sec
label does not have a hash ("sec#
"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:
$ gpg --import /path/to/you/key.asc
Once done, it's time to create sub-keypairs.
We start off by obtaining your primary key ID. This is by using the following command and find your key:
$ gpg --list-secret-keys
Example:
$ gpg --list-secret-keys
...
---------------------------
sec rsa4096 2020-01-10 [C]
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
You want the long string under the [C
] key. In the example above, it is: AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
.
With the key ID identified, it's time to edit the key. Use the following command pattern to edit the key:
$ gpg --expert --edit-key <key-id>
From the example above, it is:
$ gpg --expert --edit-key AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
You will be presented with the gpg key editor's main menu. It looks something like:
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/F5EF57A0FB4EF0EF
created: 2020-01-10 expires: never usage: C
trust: ultimate validity: ultimate
[ultimate] (1). "Shotgun" John, Smith (Main ID) <john.smith@email.com>
gpg>
If you have a newly created primary key, the first key to add is an "RSA-based signature key" for signing. This is also true for keys responsible for encrypt, and authenticate.
Now that you're done, you may initiate addkey
command:
gpg> addkey
The menu will now shows the key that you want. You can select either of the following:
(8) RSA (set your own capabilities)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 8
If you have a newly created primary key, the first key to add is an "RSA-based signature key" for signing. This is also true for keys responsible for encrypt, and authenticate.
NOTE: A good practice is having one set of RSA subkey for each capabilities before using ECC. This is for fallback usage in situations where a system is still using the old GnuPG (less than version 2.12).
Also,
IMPORTANT NOTE:
ECC encrypt capability is using a different algorithm compared to sign and authenticate. Hence, choose "12" if you want to create ECC-based subkey for encrypt.
Select the key capability. You may toggle the given instructions to switch the selected capability on and off.
NOTE: A good practice is having one subkey for one capability only. Multiple capabilities sub-key should be used with care.
Also, if your primary key has only "cerify (C)
" capability, the first key to create is the "sign
" key.
Here's an example for "sign
" only key:
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection?
Here's an example for "encrypt
" only key:
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection?
Here's an example for "authenticate
" only key:
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection?
Once you're done, select "Q" for finish.
Once you're done, you may select the key nature.
For RSA Key
Always use the maximum available bits displayed by GPG for longer use. Based on the following example, it is 4096
:
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
FOR YOUR INFO: RSA key gets weaken as technologies advances. Hence, there will be some time in the future where o you need to create an even stronger RSA.
For ECC Key
There are many curves. However, Curve 25519
is known and widely-used in the internet. If you do not what to choose, set it to use Curve 25519
, which is "1":
Please select which elliptic curve you want:
(1) Curve 25519
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
(9) secp256k1
Your selection? 1
FOR YOUR INFO: RSA key gets weaken as technologies advances. Hence, there will be some time in the future where o you need to create an even stronger RSA.
For sub-key, you may choose the expiry time if you want. Unlike primary key, you're encouraged to renew your subkeys across a period of time. Once you're done, you may confirm it with 'y
'.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Sun 09 Jan 2022 11:32:45 AM +08
Is this correct? (y/N) y
Really create? (y/N) y
Since this is affecting your primary key, GPG will ask you to fill in the primary key's passphrase for ownership authentication. Please do so and let the key creation proceed.
Once the key is created, you will prompted back to the main menu. If you observe properly, you now have an extra subkey for deployment. Example:
sec rsa4096/F5EF57A0FB4EF0EF
created: 2020-01-10 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/66F2E45747AB2C90
created: 2020-01-10 expires: 2022-01-09 usage: S
[ultimate] (1). "Shotgun" John, Smith (Main ID) <john.smith@email.com>
gpg>
You may add more keys into it before proceeding to next step. A healthy key has a minimum of:
Additionally, you may create the ECC-based subkey for better performance. If you want that, you may create:
Here is the final example (in my opinion):
sec rsa4096/F5EF57A0FB4EF0EF
created: 2020-01-10 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/66F2E45747AB2C90
created: 2020-01-10 expires: 2022-01-09 usage: S
ssb rsa4096/9D485C5208D0859F
created: 2020-01-10 expires: 2022-01-09 usage: E
ssb rsa4096/90939A7DBBFC226D
created: 2020-01-10 expires: 2022-01-09 usage: A
ssb ed25519/16972F736B59F874
created: 2020-01-10 expires: 2022-01-09 usage: S
ssb ed25519/D22D6E1FD575E506
created: 2020-01-10 expires: 2022-01-09 usage: A
ssb cv25519/25252612A403B41C
created: 2020-01-10 expires: 2022-01-09 usage: E
[ultimate] (1). "Shotgun" John, Smith (Main ID) <john.smith@email.com>
gpg>
Once everything is done, you may quit and save. Type quit and remember to confirm the save.
gpg> quit
Save changes? (y/N) y
Now that everything is completed, you can verify your key again using the following command:
$ gpg --list-secrets-key
This will now yield something as such:
...
---------------------------
sec rsa4096 2020-01-10 [C]
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
ssb rsa4096 2020-01-10 [S] [expires: 2022-01-09]
ssb rsa4096 2020-01-10 [E] [expires: 2022-01-09]
ssb rsa4096 2020-01-10 [A] [expires: 2022-01-09]
ssb ed25519 2020-01-10 [S] [expires: 2022-01-09]
ssb ed25519 2020-01-10 [A] [expires: 2022-01-09]
ssb cv25519 2020-01-10 [E] [expires: 2022-01-09]
That's all for creating GPG Sub-Keypair.