Automating the generation of master keys

Aurélien Vallée vallee.aurelien at
Wed Jun 1 10:56:35 CEST 2016


I would like to automate the generation of GPG master keys (I have hundreds
of smartcards to configure for employees). I'm using the default GPG from
CentOS 7 (gnupg 2.0.22).

Ideally, I would like to have:
- 1 masterkey with only the "certify" usage, stored offline.
- 1 subkey with only "encryption" usage, backuped offline, imported on the
- 1 subkey with only "authenticate" usage, generated on the smartcard.
- 1 subkey with only "sign" usage, generated on the smartcard.

I guess this is a rather regular setup.

Now my users are not super tech-savvy, so ideally I would like to generate
the initial keys and configure the smart card before giving them.

I first tried to generate the master keys using the batch mode, but I can't
find a way to generate master keys with only "certify" usage.

Quoting the documentation:

Key-Usage: usage-list

Space or comma delimited list of key usages. Allowed values are ‘encrypt’,
> ‘sign’, and ‘auth’.

This is used to generate the key flags. Please make sure that the algorithm
> is capable of this usage. Note that OpenPGP requires that all primary keys
> are capable of certification, so no matter what usage is given here, the
> ‘cert’ flag will be on. If no ‘Key-Usage’ is specified and the ‘Key-Type’
> is not ‘default’, all allowed usages for that particular algorithm are
> used; if it is not given but ‘default’ is used the usage will be ‘sign’.

So "cert" is a default for primary-keys. If I do not provide any
"Key-Usage", all usages will be set. If I do provide a "Key-Usage", then my
master key is not "certify only" anymore.

Is there something I missed here?

Currently, I fallback to writing an expect script to automate the key
generation. The handling of passphrases input with possibly different
pinentry programs makes the expect script insane to read and fragile in

Any help or advice greatly appreciated!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160601/4596c9b8/attachment.html>

More information about the Gnupg-users mailing list