Subkey Generation / SmartCard

David Gueguen davidgueguen2000 at
Sat Apr 15 09:25:48 CEST 2017

Hello Christoph,

with new gpg version version (>2.15) you can more easily generates sub keys

* Herafter are add subkeys to main keyring $key_id each with RSA1024 and
1 for Sign, 1 for Encrypt, 1 for Auth

 echo $var_pass_poem | gpg2 --no-verbose --pinentry-mode loopback
--batch --no-tty --yes --passphrase-fd 0 --quick-addkey --passphrase ''
$key_id rsa1024 sign 1y

  echo $var_pass_poem | gpg2 --no-verbose --pinentry-mode loopback
--batch --no-tty --yes --passphrase-fd 0 --quick-addkey --passphrase ''
$key_id rsa1024 encrypt 1y

  echo $var_pass_poem | gpg2 --no-verbose --pinentry-mode loopback
--batch --no-tty --yes --passphrase-fd 0 --quick-addkey --passphrase ''
$key_id rsa1024 auth 1y

the " echo $var_pass_poem | " trick allow you to enter the pass poem as
variable and then to not have any keyboard interaction

* Here is the automated keytocard (with keyboard interaction) check that
the exported keys are the good ones ...

  local cmd="key 2\nkeytocard\n1\ny\nkey 2\nkey 3\nkeytocard\n2\ny\nkey
3\nkey 4\nkeytocard\n3\ny\nsave\nY\n"

  echo -e $cmd | gpg2 --no-verbose --command-fd 0 --status-fd 2
--edit-key $key_id

* btw: here is how I generate main keyring:
echo "
    Key-Type:         $var_key_type
    Key-Usage:        sign cert
    Key-Length:       $var_key_lenght
    Subkey-Type:      $var_key_type
    Subkey-Usage:     encrypt
    Subkey-Length:    $var_key_lenght
    Name-Real:        $var_name
    Name-Comment:     $var_comment
    Name-Email:       $var_mail
    Keyserver:        $var_web_path
    Expire-Date:      $var_expiracy
    Passphrase:       $var_pass_poem
    Preferences:      $var_pref
  " > gen_key_script  # creating SC and E keys
gpg2 --batch --full-gen-key gen_key_script

I am also trying to make gpg card ready to go in a automated way

Hope this helps,
Best rgds,

On 14/04/2017 20:47, Christoph J wrote:
> I am trying to batch provision yubikeys.
> Using the --batch, I can generate the initial key, but I am unable to
> add more than a single subkey.
> Is there a way to batch provision subkeys, specifying the usage
> (signing, encryption, auth) without havi

ng to go into --edit-key /
> interactive mode?
> On the same topic, is there a way to do 'keytocard', again without
> having to do --edit-key --> toggle --> keytocard interactively?
> Any insight on this would be most helpful. Thanks!
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at

More information about the Gnupg-users mailing list