gen-key non-interactively

Werner Koch wk at
Thu Feb 8 17:13:13 CET 2007

On Thu,  8 Feb 2007 10:59, markybob at said:

> I'm wanting to pass all of the information that gpg needs to create a
> key (key size, type, expiration, userid, etc) initially and not have
> gpg keep pausing to ask the user.  I've read the man page, read gpg
> --help, googled, and I still cant figure out how to pass those things
> to gpg while using --gen-key.  Any help would be *greatly*

Check out the the file DETAILS.  It should explain everything.  I have
copied the section below.



Unattended key generation
This feature allows unattended generation of keys controlled by a
parameter file.  To use this feature, you use --gen-key together with
--batch and feed the parameters either from stdin or from a file given
on the commandline.

The format of this file is as follows:
  o Text only, line length is limited to about 1000 chars.
  o You must use UTF-8 encoding to specify non-ascii characters.
  o Empty lines are ignored.
  o Leading and trailing spaces are ignored.
  o A hash sign as the first non white space character indicates a comment line.
  o Control statements are indicated by a leading percent sign, the
    arguments are separated by white space from the keyword.
  o Parameters are specified by a keyword, followed by a colon.  Arguments
    are separated by white space.
  o The first parameter must be "Key-Type", control statements
    may be placed anywhere.
  o Key generation takes place when either the end of the parameter file
    is reached, the next "Key-Type" parameter is encountered or at the
    control statement "%commit"
  o Control statements:
    %echo <text>
	Print <text>.
	Suppress actual key generation (useful for syntax checking).
	Perform the key generation.  An implicit commit is done
	at the next "Key-Type" parameter.
    %pubring <filename>
    %secring <filename>
	Do not write the key to the default or commandline given
	keyring but to <filename>.  This must be given before the first
	commit to take place, duplicate specification of the same filename
	is ignored, the last filename before a commit is used.
	The filename is used until a new filename is used (at commit points)
	and all keys are written to that file.	If a new filename is given,
	this file is created (and overwrites an existing one).
	Both control statements must be given.
   o The order of the parameters does not matter except for "Key-Type"
     which must be the first parameter.  The parameters are only for the
     generated keyblock and parameters from previous key generations are not
     used. Some syntactically checks may be performed.
     The currently defined parameters are:
     Key-Type: <algo-number>|<algo-string>
	Starts a new parameter block by giving the type of the
	primary key. The algorithm must be capable of signing.
	This is a required parameter.
     Key-Length: <length-in-bits>
	Length of the key in bits.  Default is 1024.
     Key-Usage: <usage-list>
        Space or comma delimited list of key usage, allowed values are
        "encrypt", "sign", and "auth".  This is used to generate the
        key flags.  Please make sure that the algorithm is capable of
        this usage.  Note that OpenPGP requires that all primary keys
        are capable of certification, so no matter what usage is given
        here, the "cert" flag will be on.  If no Key-Usage is
        specified, all the allowed usages for that particular
        algorithm are used.
     Subkey-Type: <algo-number>|<algo-string>
	This generates a secondary key.  Currently only one subkey
	can be handled.
     Subkey-Length: <length-in-bits>
	Length of the subkey in bits.  Default is 1024.
     Subkey-Usage: <usage-list>
        Similar to Key-Usage.
     Passphrase: <string>
	If you want to specify a passphrase for the secret key,
	enter it here.	Default is not to use any passphrase.
     Name-Real: <string>
     Name-Comment: <string>
     Name-Email: <string>
	The 3 parts of a key. Remember to use UTF-8 here.
	If you don't give any of them, no user ID is created.
     Expire-Date: <iso-date>|(<number>[d|w|m|y])
	Set the expiration date for the key (and the subkey).  It
	may either be entered in ISO date format (2000-08-15) or as
	number of days, weeks, month or years. Without a letter days
	are assumed.
     Preferences: <string>
        Set the cipher, hash, and compression preference values for
	this key.  This expects the same type of string as "setpref"
	in the --edit menu.
     Revoker: <algo>:<fpr> [sensitive]
        Add a designated revoker to the generated key.  Algo is the
	public key algorithm of the designated revoker (i.e. RSA=1,
	DSA=17, etc.)  Fpr is the fingerprint of the designated
	revoker.  The optional "sensitive" flag marks the designated
	revoker as sensitive information.  Only v4 keys may be
	designated revokers.
     Handle: <string>
        This is an optional parameter only used with the status lines
        KEY_CREATED and KEY_NOT_CREATED.  STRING may be up to 100
        characters and should not contain spaces.  It is useful for
        batch key generation to associate a key parameter block with a
        status line.
     Keyserver: <string>
        This is an optional parameter that specifies the preferred
        keyserver URL for the key.

Here is an example:
$ cat >foo <<EOF
     %echo Generating a standard key
     Key-Type: DSA
     Key-Length: 1024
     Subkey-Type: ELG-E
     Subkey-Length: 1024
     Name-Real: Joe Tester
     Name-Comment: with stupid passphrase
     Name-Email: joe at
     Expire-Date: 0
     Passphrase: abc
     %secring foo.sec
     # Do a commit here, so that we can later print "done" :-)
     %echo done
$ gpg --batch --gen-key foo
$ gpg --no-default-keyring --secret-keyring ./foo.sec \
				  --keyring ./ --list-secret-keys
sec  1024D/915A878D 2000-03-09 Joe Tester (with stupid passphrase) <joe at>
ssb  1024g/8F70E2C0 2000-03-09

More information about the Gnupg-users mailing list