Advanced key generation on the command line

Werner Koch wk at gnupg.org
Thu Jun 2 21:43:43 CEST 2016 

Hi!

I tweaked the --quick-gen-key command to allow for extra parameters and
also added a --quick-addkey command.  This should make the scripted
creation of non-standard keys much easier.  Here is an example:

We want to create a key for bar at example.net with a primary key only
suitable for certification.  That key shall expire at the final date for
all rfc4880 keys.

--8<---------------cut here---------------start------------->8---
  $ gpg --yes --batch -v --passphrase abc --status-fd 2 \
        --quick-gen-key bar at example.net ed25519 cert 2106-02-06
  gpg: writing self signature
  gpg: EDDSA/SHA256 signature from: "778A04A6 [?]"
  gpg: writing public key to '[...]'
  gpg: using pgp trust model
  gpg: key 778A04A6 marked as ultimately trusted
  [GNUPG:] KEY_CONSIDERED 23F6D3A87C021F4C5E769A32B72043E2778A04A6 0
  gpg: writing to [...]
  gpg: EDDSA/SHA256 signature from: "778A04A6 bar at example.net"
  gpg: revocation certificate stored as [...]
  [GNUPG:] KEY_CREATED P 23F6D3A87C021F4C5E769A32B72043E2778A04A6
--8<---------------cut here---------------end--------------->8---

This also demonstrates on how to set a fixed passphrase (you better use
--passphrase-fd or --passphrase-file, though).  The last status line
shows us the fingerprint of the created key, a quick awk extracts it and
we can run:

--8<---------------cut here---------------start------------->8---
  $ gpg --yes --batch -v --status-fd 2 --quick-addkey \
     23F6D3A87C021F4C5E769A32B72043E2778A04A6 cv25519 - 2016-12-31
  [GNUPG:] KEY_CONSIDERED 23F6D3A87C021F4C5E769A32B72043E2778A04A6 0
  [GNUPG:] PINENTRY_LAUNCHED 1171
  gpg: writing key binding signature
  gpg: EDDSA/SHA256 signature from: "778A04A6 bar at example.net"
  [GNUPG:] KEY_CREATED S
--8<---------------cut here---------------end--------------->8---

This adds an encryption subkey which will expire at the end of this
year.  Here we do not use a fixed passphrase, but let Pinentry do its
work.  In contrast to --edit-key's "addkey" subcommand there won't be a
prompt for a new passphrase; instead the passphrase of the primary key
is used also for this subkey.  Of course we also want a signing subkey.
We allows that subkey to also act as an ssh key:

--8<---------------cut here---------------start------------->8---
  $ gpg --yes --batch -v --status-fd 2 --quick-addkey \
     23F6D3A87C021F4C5E769A32B72043E2778A04A6 ed25519 sign,auth 2063-04-05
  [GNUPG:] KEY_CONSIDERED 23F6D3A87C021F4C5E769A32B72043E2778A04A6 0
  [GNUPG:] PINENTRY_LAUNCHED 1251
  gpg: writing key binding signature
  gpg: EDDSA/SHA256 signature from: "778A04A6 bar at example.net"
  gpg: EDDSA/SHA256 signature from: "EDDE665C [?]"
  [GNUPG:] KEY_CREATED S
--8<---------------cut here---------------end--------------->8---

And here is the final result:
  
  $ gpg -K 23F6D3A87C021F4C5E769A32B72043E2778A04A6
  sec   ed25519/778A04A6 2016-06-02 [C] [expires: 2106-02-06]
  uid         [ultimate] bar at example.net
  ssb   cv25519/A20B4350 2016-06-02 [E] [expires: 2016-12-31]
  ssb   ed25519/EDDE665C 2016-06-02 [SA] [expires: 2063-04-05]
  
Right, the KEY_CREATED status lines for the subkey miss the fingerrpint;
this will be fixed soon.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
    /* EFH in Erkrath: https://alt-hochdahl.de/haus */

More information about the Gnupg-devel mailing list