Create User Identity

A primary key can holds multiple identity (e.g. work identity, individual identity, driving identity) for an owner. That's right, you do not need to create multiple primary keys for each identity. This section guides you on how to create new user identity (also known as "uid").

Verify Your Primary "Certify" Key Is Available

For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:

$ gpg --list-secret-keys

Example:

$ gpg --list-secret-keys
...
---------------------------
sec   rsa4096 2020-01-10 [C]
      AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid           [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>

You want to observe the key with [C] capability and the sec label does not have a hash ("sec#"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:

$ gpg --import /path/to/you/key.asc

Creating UID

Once done, it's time to create UID.

Obtain Your Primary Key ID

We start off by obtaining your primary key ID. This is by using the following command and find your key:

$ gpg --list-secret-keys

Example:

$ gpg --list-secret-keys
...
---------------------------
sec   rsa4096 2020-01-10 [C]
      AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid           [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
ssb   rsa4096 2020-01-10 [S] [expires: 2022-01-09]
ssb   rsa4096 2020-01-10 [E] [expires: 2022-01-09]
ssb   rsa4096 2020-01-10 [A] [expires: 2022-01-09]
ssb   ed25519 2020-01-10 [S] [expires: 2022-01-09]
ssb   ed25519 2020-01-10 [A] [expires: 2022-01-09]
ssb   cv25519 2020-01-10 [E] [expires: 2022-01-09]

You want the long string under the [C] key. In the example above, it is: AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF.


Edit Primary Key

With the key ID identified, it's time to edit the key. Use the following command pattern to edit the key:

$ gpg --expert --edit-key <key-id>

From the example above, it is:

$ gpg --expert --edit-key AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF

You will be presented with the gpg key editor's main menu. It looks something like:

gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/F5EF57A0FB4EF0EF
     created: 2020-01-10  expires: never       usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa4096/66F2E45747AB2C90
     created: 2020-01-10  expires: 2022-01-09  usage: S   
ssb  rsa4096/9D485C5208D0859F
     created: 2020-01-10  expires: 2022-01-09  usage: E   
ssb  rsa4096/90939A7DBBFC226D
     created: 2020-01-10  expires: 2022-01-09  usage: A   
ssb  ed25519/16972F736B59F874
     created: 2020-01-10  expires: 2022-01-09  usage: S   
ssb  ed25519/D22D6E1FD575E506
     created: 2020-01-10  expires: 2022-01-09  usage: A   
ssb  cv25519/25252612A403B41C
     created: 2020-01-10  expires: 2022-01-09  usage: E   
[ultimate] (1). "Shotgun" John, Smith (Main ID) <john.smith@email.com>

gpg>


Add UID

Now that you're done, you may initiate adduid command:

gpg> adduid


Fills in Credentials

You're immediately being prompted to fill in the new identification credentials. Fill them up accordingly.


Enter Your Real Name

Like any identity card, please key in your REAL name. DO NOT enter comments or whatsoever (e.g. '(for work)') etc. Here is a good read up: https://debian-administration.org/users/dkg/weblog/97.

One good example for "John, Smith" with nickname "Shotgun" is:

GnuPG needs to construct a user ID to identify your key.

Real name: "Shotgun" John, Smith


Enter Your Email

Next, GPG will ask for an email. Please ensure you use a good email representing your name (TIP: avoid funny nicknames to prove your genuity and professionality).

One good example is:

Real name: "Shotgun" John Smith
Email address: john.smith@company.com


Enter Comment For This Primary Key

Once done, GPG will ask you to fill in a comment for this primary key. The comment is something like "Driving License", "Social Security Number", "Identification Card", "Passport", etc. in our daily life.


Although you have the freedom, please avoid a few things:

  1. Stating that the key is for work or specific to an email.
    • Reason: you can create sub-keys for those and email identity can be added in multiple entry
  2. Stating nothing related to the key like "I like strawberries!"
    • Reason: it's your identification 'card'. Other can see that worldwide too. Hence, please be professional please.
  3. Nicknames
    • Reason: it should be inside your real name entry. Nickname are indicated by quote or parenthesis. E.g.
      1. "Shotgun" John, Smith
      2. (Shotgun) John, Smith
  4. Crypto information like "4096"
    • Reason: it is supposed to be subtle. Don't announce it to the public. The tool knows how to identify for you.
  5. Company Name
    • Reason: Chances are: you're using your company email for the identity. Your company's email address is already self-explained so avoid it.

If you have no idea what to put in, just leave it blank. Empty comment is the greatest comment of all.


An example (with no comment since the name, other UID, and email are self-explanatory) would be:

Real name: "Shotgun" John, Smith
Email address: john.smith@company.com
Comment: 
You selected this USER-ID:
    ""Shotgun" John, Smith <john.smith@company.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

This, when presented with your existing UID, will look something like this:

sec   rsa4096 2020-01-10 [C]
      AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid           [ultimate] "Shotgun" John, Smith <john.smith@company.com>
uid           [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>

That is why empty comment is always the best comment of all.


Authenticate Yourself

Since this is affecting your primary key, GPG will ask you to fill in the primary key's passphrase for ownership authentication. Please do so and let the key creation proceed.


Check Your New UID Creation

Once the UID is created, you will prompted back to the main menu. If you observe properly, you now have an extra UID:

sec  rsa4096/F5EF57A0FB4EF0EF
     created: 2020-01-10  expires: never       usage: C   
     trust: ultimate      validity: ultimate
ssb  rsa4096/66F2E45747AB2C90
     created: 2020-01-10  expires: 2022-01-09  usage: S   
ssb  rsa4096/9D485C5208D0859F
     created: 2020-01-10  expires: 2022-01-09  usage: E   
ssb  rsa4096/90939A7DBBFC226D
     created: 2020-01-10  expires: 2022-01-09  usage: A   
ssb  ed25519/16972F736B59F874
     created: 2020-01-10  expires: 2022-01-09  usage: S   
ssb  ed25519/D22D6E1FD575E506
     created: 2020-01-10  expires: 2022-01-09  usage: A   
ssb  cv25519/25252612A403B41C
     created: 2020-01-10  expires: 2022-01-09  usage: E   
[ultimate] (1)  "Shotgun" John, Smith (Main ID) <john.smith@email.com>
[ unknown] (2). "Shotgun" John, Smith <john.smith@company.com>

gpg>


Trusting Your New UID

When an UID is newly added, the trust model will not automatically picks up. Hence, it can be marked either "unknown" or "ultimate" depending on the key's initial trust level. If the key is originally trusted "ultimately", the new UID will be trusted "ultimate"ly as well.

In another word, you and your trustees need to "trust" the UID manually again. If you practice having public key signed by your trustees, you need to ask them to do that again for trusting the new UID.

Trusting the UID is a outside of this section so please refer back to the index page.


Save and Quit

Once everything is done, you may quit and save. Type quit and remember to confirm the save.

gpg> quit
Save changes? (y/N) y


Verify Key

Now that everything is completed, you can verify your key again using the following command:

$ gpg --list-secrets-key

This will now yield something as such:

...
---------------------------

sec   rsa4096 2020-01-10 [C]
      AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid           [ultimate] "Shotgun" John, Smith <john.smith@company.com>
uid           [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
ssb   rsa4096 2020-01-10 [S] [expires: 2022-01-09]
ssb   rsa4096 2020-01-10 [E] [expires: 2022-01-09]
ssb   rsa4096 2020-01-10 [A] [expires: 2022-01-09]
ssb   ed25519 2020-01-10 [S] [expires: 2022-01-09]
ssb   ed25519 2020-01-10 [A] [expires: 2022-01-09]
ssb   cv25519 2020-01-10 [E] [expires: 2022-01-09]

That's all for creating GPG Sub-Keypair.