Before getting started, make sure you have configured your Yubikey with PINs that you have assigned and not the default PINs that come with the Yubikey.
This guide requires one device of any in the following categories:
❊ Before You Start
We highly recommend before continuing with this guide that you view the GPG Introduction page for a brief description of what GPG keys do and the differences between Yubikey vs Software generated keys. It only takes a minute.
❊ Generating Keys
MASTER KEY [C]
Launch Command Prompt, Terminal, or Powershell.
Run command:
gpg --expert --full-generate-key
You will see a list of options:
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
> (8) RSA (set your own capabilities)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(13) Existing key
(14) Existing key from card
Select (8) RSA (set your own capabilities)
You will be asked a series of questions. Select the options below:
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
(S) Toggle the sign capability
> (E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? E
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify
> (S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? S
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
> (Q) Finished
Your selection? Q
When asked for the desired key size, select 4096
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Specify when you want the key to expire:
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Enter your name, email address, and a comment for the key:
GnuPG needs to construct a user ID to identify your key.
Real name: Your Name
Email address: your@emailaddress.com
Comment: A comment to recognize your key
GPG will then confirm your answers:
You selected this USER-ID:
"Oort <johndoe@email.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
Select O for (O)kay
You will be prompted for a password / passphrase either via a dialog box like the screenshot below, or in the console window:
Create a strong passphrase and press OK.
If you create a weak password, it will warn you to change it.
GPG will request you to move your mouse:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Simply move your mouse, open/close windows. Do as many actions on your device as you can while it generates to help with entropy.
The system will output a path to your revocation certificate. Save this file somewhere.
gpg: revocation certificate stored as 'C:\\Users\\aetherinox\\AppData\\Roaming\\gnupg\\openpgp-revocs.d\\848103E9F1FFEC33DDD58C2B161C667B11784BF7.rev'
public and secret key created and signed.
GPG will display your generated key:
pub rsa4096 2023-01-31 [C]
848103E9F1FFEC33DDD58C2B161C667B11784BF7
uid John Doe (My demo key) <johndoe@email.com>
You'll notice that this is only the [C]ertify key. We're missing [A]uthentication, [S]ignature and [E]ncryption.
SUBKEY [S]
Next, create a subkey with the [S]ignature capability.
Take note of the key id that is provided in the console. In this example we'll use 848103E9F1FFEC33DDD58C2B161C667B11784BF7
Console will go into gpg edit mode and show your key info:
sec rsa4096/161C667B11784BF7
created: 2023-01-31 expires: never usage: C
trust: ultimate validity: ultimate
[ultimate] (1). John Doe (My demo key) <johndoe@email.com>
gpg>
Execute command:
addkey
You will be presented with a list of options:
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
(14) Existing key from card
Select (4) RSA (sign only)
You will then be asked for a key size. Enter 4096
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Set an expiration time:
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Confirm your changes.
You will be prompted to enter the passphrase you selected when you made the Masterkey in the steps above. Enter that passphrase.
Move your mouse around to generate entropy.
We now have a master key[C]ertify, and one sub key[S]ignature:
sec rsa4096/161C667B11784BF7
created: 2023-01-31 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/88614F297B2B2542
created: 2023-01-31 expires: never usage: S
[ultimate] (1). John Doe (My demo key) <johndoe@email.com>
SUBKEY [E]
Create a subkey with the [E]ncryption capability.
Execute the command:
addkey
You will be presented with a list of options:
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
(14) Existing key from card
Select (6) RSA (encrypt only)
For key size, enter 4096
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Select an expiration time:
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Confirm your changes.
You will be prompted to enter the passphrase you selected when you made the Masterkey in the steps above. Enter that passphrase.
Move your mouse to generate entropy.
We now have a master key[C]ertify, and two sub keys[S]ignature, [E]ncryption:
sec rsa4096/161C667B11784BF7
created: 2023-01-31 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/88614F297B2B2542
created: 2023-01-31 expires: never usage: S
ssb rsa4096/3272622E5D653058
created: 2023-01-31 expires: never usage: E
[ultimate] (1). John Doe (My demo key) <johndoe@email.com>
SUBKEY [A]
Create a subkey with the [A]uthenticate capability.
Execute the command:
addkey
Select the options pasted below:
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
> (8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
(14) Existing key from card
Your selection? 8
Possible actions for this RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
> (S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? S
Possible actions for this RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt
(S) Toggle the sign capability
> (E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? E
Possible actions for this RSA key: Sign Encrypt Authenticate
Current allowed actions:
(S) Toggle the sign capability
(E) Toggle the encrypt capability
> (A) Toggle the authenticate capability
(Q) Finished
Your selection? A
Possible actions for this RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
> (Q) Finished
Your selection? Q
Select (6) RSA (encrypt only)
For key size, enter 4096
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Select an expiration time:
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Confirm your changes.
You will be prompted to enter the passphrase you selected when you made the Masterkey in the steps above. Enter that passphrase.
Move your mouse around to generate entropy.
Your list should look similar to the following:
sec rsa4096 / 161C667B11784BF7
created: 2023-01-31 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096 / 88614F297B2B2542
created: 2023-01-31 expires: never usage: S
ssb rsa4096 / 3272622E5D653058
created: 2023-01-31 expires: never usage: E
ssb rsa4096 / F8BD0C1A3EB787A2
created: 2023-01-31 expires: never usage: A
[ultimate] (1). John Doe (My demo key) <johndoe@email.com>
Type saveand the word quit
❊ Overview
You now have a GPG key pair with one master key strictly assigned to certify any new subkeys in the future, and three subkeys.
Key ID
Type
Capability
Master
Sub
161C667B11784BF7
[sec] Secret Key
Certify
88614F297B2B2542
[ssb] Secret Sub
Sign
3272622E5D653058
[ssb] Secret Sub
Encrypt
F8BD0C1A3EB787A2
[ssb] Secret Sub
Authenticate
❊ Export
Export your keys to a location on your device with the command:
When exporting your SSH key, you can use either your master key id, or your [A]uthenticate key id. You cannot export an SSH key using the [S] and [E] keys.
UPLOAD TO KEYSERVER
To upload your GPG key to an online keyserver; you can utilize one of the following commands. Be sure to replace 11784BF7 with your master key id.
If you'd like to upload your exported GPG key to a keyserver using a physical interface, check out the list of keyserver websites on the GPG Introduction page.
❊ Import to Yubikey
Unlike the PIV interface, there is no GUI (graphical user interface) that allows you to directly import your GPG keys using a program such as Yubikey Manager.
Select your method of importing:
This section utilizing the gpg command-line to generate keys. Be sure to have GPG installed. If unsure, read the .