Creating a new GPG key
The following instructions provide a guide to generate a GnuPG key and are based, with permission, on a post to Ana's blog.
$ gpg --list-keys --with-subkey-fingerprint 7A33ECAA188B96F27C917288B3464F896AA15948
pub rsa4096 2009-05-10 [SC]
7A33ECAA188B96F27C917288B3464F896AA15948
uid [ unknown] Ana Beatriz Guerrero López <[email protected]>
uid [ unknown] Ana Beatriz Guerrero López <[email protected]>
sub rsa4096 2009-05-10 [E]
3626E7E07292B683510AF413FAD83EDD2497B8B2
As a side note, we have been often asked why do we mention 2048 bits. We do prefer 4096 bit keys, and if you don't have a reason to require a 2048 bit key, we'd be much happier having the 4096 bit ones. We know of many smartcards that are able to hold only 2048 bit keys, however, and their use is accepted.
Please note that the requirement to migrate away from DSA keys to RSA keys is not only because of the key length, but because of the stronger algorithm as well. (There are classes of failure in traditional DSA that are not present in RSA)
Install Debian gpg package
Ensure the gpg Debian package is installed, providing the GnuPG command line interface.
Update ~/.gnupg/gpg.conf
With GnuPG 2.x , the default options are recommended, and users must simply keep their software up to date. Previously tweaked configurations may be less secure than the defaults, and should be reviewed or deleted.
Create key
user@debian10buster:~$ gpg --gen-key --default-new-key-algo=rsa4096/cert,sign+rsa4096/encr gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: directory '/home/user/.gnupg' created gpg: keybox '/home/user/.gnupg/pubring.kbx' created Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: Test User Email address: [email protected] You selected this USER-ID: "Test User <[email protected]>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /home/user/.gnupg/trustdb.gpg: trustdb created gpg: key B9ACCA8647EEE39C marked as ultimately trusted gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/10AD8FDD6D88F8AB92E6158BB9ACCA8647EEE39C.rev' public and secret key created and signed. pub rsa4096 2021-05-22 [SC] [expires: 2023-05-22] 10AD8FDD6D88F8AB92E6158BB9ACCA8647EEE39C uid Test User <[email protected]> sub rsa4096 2021-05-22 [E] [expires: 2023-05-22] user@debian10buster:~$
Add other UID
If one needs to add more than one email address to their key, the
--edit-key menu may be used along with the adduid task:
user@debian10buster:~$ gpg --edit-key 10AD8FDD6D88F8AB92E6158BB9ACCA8647EEE39C
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-05-22
sec rsa4096/B9ACCA8647EEE39C
created: 2021-05-22 expires: 2023-05-22 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/D82D266547A12BB5
created: 2021-05-22 expires: 2023-05-22 usage: E
[ultimate] (1). Test User <[email protected]>
gpg> adduid
Real name: Test User Business
Email address: [email protected]
Comment:
You selected this USER-ID:
"Test User Business <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
sec rsa4096/B9ACCA8647EEE39C
created: 2021-05-22 expires: 2023-05-22 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/D82D266547A12BB5
created: 2021-05-22 expires: 2023-05-22 usage: E
[ultimate] (1) Test User <[email protected]>
[ unknown] (2). Test User Business <[email protected]>
gpg> save
user@debian10buster:~$
Set primary UID
(Only needed if you've added more than one UID as above)
user@debian10buster:~$ gpg --edit-key 10AD8FDD6D88F8AB92E6158BB9ACCA8647EEE39C
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-05-22
sec rsa4096/B9ACCA8647EEE39C
created: 2021-05-22 expires: 2023-05-22 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/D82D266547A12BB5
created: 2021-05-22 expires: 2023-05-22 usage: E
[ultimate] (1). Test User Business <[email protected]>
[ultimate] (2) Test User <[email protected]>
gpg> uid 2
sec rsa4096/B9ACCA8647EEE39C
created: 2021-05-22 expires: 2023-05-22 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/D82D266547A12BB5
created: 2021-05-22 expires: 2023-05-22 usage: E
[ultimate] (1). Test User Business <[email protected]>
[ultimate] (2)* Test User <[email protected]>
gpg> primary
sec rsa4096/B9ACCA8647EEE39C
created: 2021-05-22 expires: 2023-05-22 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/D82D266547A12BB5
created: 2021-05-22 expires: 2023-05-22 usage: E
[ultimate] (1) Test User Business <[email protected]>
[ultimate] (2)* Test User <[email protected]>
gpg> save
user@debian10buster:~$
Send new key to key server
gpg --keyserver keyserver.ubuntu.com --send-key 90A808023328BD4E58143AC5E6CB7939B6C3AAB7Note that since GnuPG 2.1, the
dirmngr utility is invoked by
gpg to access OpenPGP servers and perform the upload and download
of keys.