Embedded Files
A primary key can holds multiple identity (e.g. work identity, individual identity, driving identity) for an owner. That's right, you do not need to create multiple primary keys for each identity. This section guides you on how to create new user identity (also known as "uid").
Verify Your Primary "Certify" Key Is Available
Verify Your Primary "Certify" Key Is Available
For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:
$ gpg --list-secret-keysExample:
$ gpg --list-secret-keys...---------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>You want to observe the key with [C] capability and the sec label does not have a hash ("sec#"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:
$ gpg --import /path/to/you/key.ascCreating UID
Creating UID
Once done, it's time to create UID.
Obtain Your Primary Key ID
Obtain Your Primary Key ID
We start off by obtaining your primary key ID. This is by using the following command and find your key:
$ gpg --list-secret-keysExample:
$ gpg --list-secret-keys...---------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>ssb rsa4096 2020-01-10 [S] [expires: 2022-01-09]ssb rsa4096 2020-01-10 [E] [expires: 2022-01-09]ssb rsa4096 2020-01-10 [A] [expires: 2022-01-09]ssb ed25519 2020-01-10 [S] [expires: 2022-01-09]ssb ed25519 2020-01-10 [A] [expires: 2022-01-09]ssb cv25519 2020-01-10 [E] [expires: 2022-01-09]You want the long string under the [C] key. In the example above, it is: AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF.
Edit Primary Key
Edit Primary Key
With the key ID identified, it's time to edit the key. Use the following command pattern to edit the key:
$ gpg --expert --edit-key <key-id>From the example above, it is:
$ gpg --expert --edit-key AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFYou will be presented with the gpg key editor's main menu. It looks something like:
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.Secret key is available.sec rsa4096/F5EF57A0FB4EF0EF created: 2020-01-10 expires: never usage: C trust: ultimate validity: ultimatessb rsa4096/66F2E45747AB2C90 created: 2020-01-10 expires: 2022-01-09 usage: S ssb rsa4096/9D485C5208D0859F created: 2020-01-10 expires: 2022-01-09 usage: E ssb rsa4096/90939A7DBBFC226D created: 2020-01-10 expires: 2022-01-09 usage: A ssb ed25519/16972F736B59F874 created: 2020-01-10 expires: 2022-01-09 usage: S ssb ed25519/D22D6E1FD575E506 created: 2020-01-10 expires: 2022-01-09 usage: A ssb cv25519/25252612A403B41C created: 2020-01-10 expires: 2022-01-09 usage: E [ultimate] (1). "Shotgun" John, Smith (Main ID) <john.smith@email.com>gpg>Add UID
Add UID
Now that you're done, you may initiate adduid command:
gpg> adduid Fills in Credentials
Fills in Credentials
You're immediately being prompted to fill in the new identification credentials. Fill them up accordingly.
Enter Your Real Name
Like any identity card, please key in your REAL name. DO NOT enter comments or whatsoever (e.g. '(for work)') etc. Here is a good read up: https://debian-administration.org/users/dkg/weblog/97.
One good example for "John, Smith" with nickname "Shotgun" is:
GnuPG needs to construct a user ID to identify your key.Real name: "Shotgun" John, SmithEnter Your Email
Next, GPG will ask for an email. Please ensure you use a good email representing your name (TIP: avoid funny nicknames to prove your genuity and professionality).
One good example is:
Real name: "Shotgun" John SmithEmail address: john.smith@company.comEnter Comment For This Primary Key
Once done, GPG will ask you to fill in a comment for this primary key. The comment is something like "Driving License", "Social Security Number", "Identification Card", "Passport", etc. in our daily life.
Although you have the freedom, please avoid a few things:
- Stating that the key is for work or specific to an email.
- Reason: you can create sub-keys for those and email identity can be added in multiple entry
- Stating nothing related to the key like "I like strawberries!"
- Reason: it's your identification 'card'. Other can see that worldwide too. Hence, please be professional please.
- Nicknames
- Reason: it should be inside your real name entry. Nickname are indicated by quote or parenthesis. E.g.
- "Shotgun" John, Smith
- (Shotgun) John, Smith
- Reason: it should be inside your real name entry. Nickname are indicated by quote or parenthesis. E.g.
- Crypto information like "4096"
- Reason: it is supposed to be subtle. Don't announce it to the public. The tool knows how to identify for you.
- Company Name
- Reason: Chances are: you're using your company email for the identity. Your company's email address is already self-explained so avoid it.
If you have no idea what to put in, just leave it blank. Empty comment is the greatest comment of all.
An example (with no comment since the name, other UID, and email are self-explanatory) would be:
Real name: "Shotgun" John, SmithEmail address: john.smith@company.comComment: You selected this USER-ID: ""Shotgun" John, Smith <john.smith@company.com>"Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? This, when presented with your existing UID, will look something like this:
sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith <john.smith@company.com>uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>That is why empty comment is always the best comment of all.
Authenticate Yourself
Authenticate Yourself
Since this is affecting your primary key, GPG will ask you to fill in the primary key's passphrase for ownership authentication. Please do so and let the key creation proceed.
Check Your New UID Creation
Check Your New UID Creation
Once the UID is created, you will prompted back to the main menu. If you observe properly, you now have an extra UID:
sec rsa4096/F5EF57A0FB4EF0EF created: 2020-01-10 expires: never usage: C trust: ultimate validity: ultimatessb rsa4096/66F2E45747AB2C90 created: 2020-01-10 expires: 2022-01-09 usage: S ssb rsa4096/9D485C5208D0859F created: 2020-01-10 expires: 2022-01-09 usage: E ssb rsa4096/90939A7DBBFC226D created: 2020-01-10 expires: 2022-01-09 usage: A ssb ed25519/16972F736B59F874 created: 2020-01-10 expires: 2022-01-09 usage: S ssb ed25519/D22D6E1FD575E506 created: 2020-01-10 expires: 2022-01-09 usage: A ssb cv25519/25252612A403B41C created: 2020-01-10 expires: 2022-01-09 usage: E [ultimate] (1) "Shotgun" John, Smith (Main ID) <john.smith@email.com>[ unknown] (2). "Shotgun" John, Smith <john.smith@company.com>gpg> Trusting Your New UID
Trusting Your New UID
When an UID is newly added, the trust model will not automatically picks up. Hence, it can be marked either "unknown" or "ultimate" depending on the key's initial trust level. If the key is originally trusted "ultimately", the new UID will be trusted "ultimate"ly as well.
In another word, you and your trustees need to "trust" the UID manually again. If you practice having public key signed by your trustees, you need to ask them to do that again for trusting the new UID.
Trusting the UID is a outside of this section so please refer back to the index page.
Save and Quit
Save and Quit
Once everything is done, you may quit and save. Type quit and remember to confirm the save.
gpg> quitSave changes? (y/N) yVerify Key
Verify Key
Now that everything is completed, you can verify your key again using the following command:
$ gpg --list-secrets-keyThis will now yield something as such:
...---------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith <john.smith@company.com>uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>ssb rsa4096 2020-01-10 [S] [expires: 2022-01-09]ssb rsa4096 2020-01-10 [E] [expires: 2022-01-09]ssb rsa4096 2020-01-10 [A] [expires: 2022-01-09]ssb ed25519 2020-01-10 [S] [expires: 2022-01-09]ssb ed25519 2020-01-10 [A] [expires: 2022-01-09]ssb cv25519 2020-01-10 [E] [expires: 2022-01-09]That's all for creating GPG Sub-Keypair.
Page updated
Google Sites
Report abuse