Embedded Files
A primary key with only "certify" ability won't be able to do much unless there are some other keypairs for different functions such as sign, authenticate, and encrypt. This section guides you on how to create these sub-keypairs.
[OPTIONAL] Good To Have Dependency
[OPTIONAL] Good To Have Dependency
These are some optional good to have dependencies for smoothening the key creation process.
Linux - haveged
Linux - haveged
if you're on Linux, open a new terminal and install haveged package, wait until the key is generated, then uninstall it.
$ sudo apt install haveged -y$ # wait until gpg key is generated...$ sudo apt purge haveged -yVerify Your Primary "Certify" Key Is Available
Verify Your Primary "Certify" Key Is Available
For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:
$ gpg --list-secret-keysExample:
$ gpg --list-secret-keys...---------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>You want to observe the key with [C] capability and the sec label does not have a hash ("sec#"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:
$ gpg --import /path/to/you/key.ascCreating Sub-Keypairs
Creating Sub-Keypairs
Once done, it's time to create sub-keypairs.
Obtain Your Primary Key ID
Obtain Your Primary Key ID
We start off by obtaining your primary key ID. This is by using the following command and find your key:
$ gpg --list-secret-keysExample:
$ gpg --list-secret-keys...---------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>You want the long string under the [C] key. In the example above, it is: AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF.
Edit Primary Key
Edit Primary Key
With the key ID identified, it's time to edit the key. Use the following command pattern to edit the key:
$ gpg --expert --edit-key <key-id>From the example above, it is:
$ gpg --expert --edit-key AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFYou will be presented with the gpg key editor's main menu. It looks something like:
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.Secret key is available.sec rsa4096/F5EF57A0FB4EF0EF created: 2020-01-10 expires: never usage: C trust: ultimate validity: ultimate[ultimate] (1). "Shotgun" John, Smith (Main ID) <john.smith@email.com>gpg>Add Subkey
Add Subkey
If you have a newly created primary key, the first key to add is an "RSA-based signature key" for signing. This is also true for keys responsible for encrypt, and authenticate.
Now that you're done, you may initiate addkey command:
gpg> addkey Select Key-Type
Select Key-Type
The menu will now shows the key that you want. You can select either of the following:
- "8" -
(8) RSA (set your own capabilities) - "11" -
(11) ECC (set your own capabilities) - "12" -
(12) ECC (encrypt only)
Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing keyYour selection? 8If you have a newly created primary key, the first key to add is an "RSA-based signature key" for signing. This is also true for keys responsible for encrypt, and authenticate.
NOTE: A good practice is having one set of RSA subkey for each capabilities before using ECC. This is for fallback usage in situations where a system is still using the old GnuPG (less than version 2.12).Also,
IMPORTANT NOTE:ECC encrypt capability is using a different algorithm compared to sign and authenticate. Hence, choose "12" if you want to create ECC-based subkey for encrypt.Select Key Capability
Select Key Capability
Select the key capability. You may toggle the given instructions to switch the selected capability on and off.
NOTE: A good practice is having one subkey for one capability only. Multiple capabilities sub-key should be used with care. Also, if your primary key has only "cerify (C)" capability, the first key to create is the "sign" key.
Here's an example for "sign" only key:
Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Sign (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) FinishedYour selection?Here's an example for "encrypt" only key:
Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Encrypt (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) FinishedYour selection?Here's an example for "authenticate" only key:
Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Sign (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) FinishedYour selection?Once you're done, select "Q" for finish.
Select Key Nature
Select Key Nature
Once you're done, you may select the key nature.
For RSA Key
Always use the maximum available bits displayed by GPG for longer use. Based on the following example, it is 4096:
RSA keys may be between 1024 and 4096 bits long.What keysize do you want? (3072) 4096FOR YOUR INFO: RSA key gets weaken as technologies advances. Hence, there will be some time in the future where o you need to create an even stronger RSA.
For ECC Key
There are many curves. However, Curve 25519 is known and widely-used in the internet. If you do not what to choose, set it to use Curve 25519, which is "1":
Please select which elliptic curve you want: (1) Curve 25519 (3) NIST P-256 (4) NIST P-384 (5) NIST P-521 (6) Brainpool P-256 (7) Brainpool P-384 (8) Brainpool P-512 (9) secp256k1Your selection? 1FOR YOUR INFO: RSA key gets weaken as technologies advances. Hence, there will be some time in the future where o you need to create an even stronger RSA.
Set Key Expiry
Set Key Expiry
For sub-key, you may choose the expiry time if you want. Unlike primary key, you're encouraged to renew your subkeys across a period of time. Once you're done, you may confirm it with 'y'.
Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n yearsKey is valid for? (0) 2yKey expires at Sun 09 Jan 2022 11:32:45 AM +08Is this correct? (y/N) yReally create? (y/N) yAuthenticate Yourself
Authenticate Yourself
Since this is affecting your primary key, GPG will ask you to fill in the primary key's passphrase for ownership authentication. Please do so and let the key creation proceed.
Check Your New Sub-Key Creation
Check Your New Sub-Key Creation
Once the key is created, you will prompted back to the main menu. If you observe properly, you now have an extra subkey for deployment. Example:
sec rsa4096/F5EF57A0FB4EF0EF created: 2020-01-10 expires: never usage: C trust: ultimate validity: ultimatessb rsa4096/66F2E45747AB2C90 created: 2020-01-10 expires: 2022-01-09 usage: S [ultimate] (1). "Shotgun" John, Smith (Main ID) <john.smith@email.com>gpg>You may add more keys into it before proceeding to next step. A healthy key has a minimum of:
- One sign ("S") RSA-based subkey
- One encrypt ("E") RSA-based subkey
- One authenticate ("A") RSA-based subkey
Additionally, you may create the ECC-based subkey for better performance. If you want that, you may create:
- One sign ("S") ECC-based subkey
- One encrypt ("E") ECC-based subkey
- One authenticate ("A") ECC-based subkey
Here is the final example (in my opinion):
sec rsa4096/F5EF57A0FB4EF0EF created: 2020-01-10 expires: never usage: C trust: ultimate validity: ultimatessb rsa4096/66F2E45747AB2C90 created: 2020-01-10 expires: 2022-01-09 usage: S ssb rsa4096/9D485C5208D0859F created: 2020-01-10 expires: 2022-01-09 usage: E ssb rsa4096/90939A7DBBFC226D created: 2020-01-10 expires: 2022-01-09 usage: A ssb ed25519/16972F736B59F874 created: 2020-01-10 expires: 2022-01-09 usage: S ssb ed25519/D22D6E1FD575E506 created: 2020-01-10 expires: 2022-01-09 usage: A ssb cv25519/25252612A403B41C created: 2020-01-10 expires: 2022-01-09 usage: E [ultimate] (1). "Shotgun" John, Smith (Main ID) <john.smith@email.com>gpg> Save and Quit
Save and Quit
Once everything is done, you may quit and save. Type quit and remember to confirm the save.
gpg> quitSave changes? (y/N) yVerify Key
Verify Key
Now that everything is completed, you can verify your key again using the following command:
$ gpg --list-secrets-keyThis will now yield something as such:
...---------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>ssb rsa4096 2020-01-10 [S] [expires: 2022-01-09]ssb rsa4096 2020-01-10 [E] [expires: 2022-01-09]ssb rsa4096 2020-01-10 [A] [expires: 2022-01-09]ssb ed25519 2020-01-10 [S] [expires: 2022-01-09]ssb ed25519 2020-01-10 [A] [expires: 2022-01-09]ssb cv25519 2020-01-10 [E] [expires: 2022-01-09]That's all for creating GPG Sub-Keypair.
Page updated
Google Sites
Report abuse