⭕With Commandline

Instructions on generating GPG keys using the gpg command-line.

Before getting started, make sure you have configured your Yubikey with PINs that you have assigned and not the default PINs that come with the Yubikey.

Read about configuring your GPG PINs here.

This guide requires one device of any in the following categories:

❊ Before You Start

We highly recommend before continuing with this guide that you view the GPG Introduction page for a brief description of what GPG keys do and the differences between Yubikey vs Software generated keys. It only takes a minute.

❊ Generating Keys

This section utilizing the gpg command-line to generate keys. Be sure to have GPG installed. If unsure, read the GPG installation guide.

MASTER KEY [C]

Launch Command Prompt, Terminal, or Powershell.

Run command:

gpg --expert --full-generate-key

You will see a list of options:

Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
>  (8) RSA (set your own capabilities)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
  (14) Existing key from card

Select (8) RSA (set your own capabilities)

You will be asked a series of questions. Select the options below:

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt

   (S) Toggle the sign capability
>  (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? E

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify

>  (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? S

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
>  (Q) Finished

Your selection? Q

When asked for the desired key size, select 4096

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096

Specify when you want the key to expire:

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
    
Key is valid for? (0)    0

Key does not expire at all

Is this correct? (y/N)    y

Enter your name, email address, and a comment for the key:

GnuPG needs to construct a user ID to identify your key.

Real name:           Your Name
Email address:       your@emailaddress.com
Comment:             A comment to recognize your key

GPG will then confirm your answers:

You selected this USER-ID:
    "Oort <johndoe@email.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

Select O for (O)kay

You will be prompted for a password / passphrase either via a dialog box like the screenshot below, or in the console window:

Create a strong passphrase and press OK.

If you create a weak password, it will warn you to change it.

GPG will request you to move your mouse:

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Simply move your mouse, open/close windows. Do as many actions on your device as you can while it generates to help with entropy.

The system will output a path to your revocation certificate. Save this file somewhere.

gpg: revocation certificate stored as 'C:\\Users\\aetherinox\\AppData\\Roaming\\gnupg\\openpgp-revocs.d\\848103E9F1FFEC33DDD58C2B161C667B11784BF7.rev'
public and secret key created and signed.

GPG will display your generated key:

pub   rsa4096 2023-01-31 [C]
      848103E9F1FFEC33DDD58C2B161C667B11784BF7
uid                      John Doe (My demo key) <johndoe@email.com>

You'll notice that this is only the [C]ertify key. We're missing [A]uthentication, [S]ignature and [E]ncryption.

SUBKEY [S]

Next, create a subkey with the [S]ignature capability.

Take note of the key id that is provided in the console. In this example we'll use 848103E9F1FFEC33DDD58C2B161C667B11784BF7

Execute command:

gpg --expert --edit-key 848103E9F1FFEC33DDD58C2B161C667B11784BF7

Console will go into gpg edit mode and show your key info:

sec  rsa4096/161C667B11784BF7
     created: 2023-01-31  expires: never       usage: C
     trust: ultimate      validity: ultimate

[ultimate] (1). John Doe (My demo key) <johndoe@email.com>

gpg>

Execute command:

addkey

You will be presented with a list of options:

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card

Select (4) RSA (sign only)

You will then be asked for a key size. Enter 4096

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096

Set an expiration time:

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
      
Key is valid for? (0) 0

Confirm your changes.

You will be prompted to enter the passphrase you selected when you made the Masterkey in the steps above. Enter that passphrase.

Move your mouse around to generate entropy.

We now have a master key [C]ertify, and one sub key [S]ignature:

sec  rsa4096/161C667B11784BF7
     created: 2023-01-31  expires: never       usage: C
     trust: ultimate      validity: ultimate

ssb  rsa4096/88614F297B2B2542
     created: 2023-01-31  expires: never       usage: S

[ultimate] (1). John Doe (My demo key) <johndoe@email.com>

SUBKEY [E]

Create a subkey with the [E]ncryption capability.

Execute the command:

addkey

You will be presented with a list of options:

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card

Select (6) RSA (encrypt only)

For key size, enter 4096

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096

Select an expiration time:

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
      
Key is valid for? (0) 0

Confirm your changes.

You will be prompted to enter the passphrase you selected when you made the Masterkey in the steps above. Enter that passphrase.

Move your mouse to generate entropy.

We now have a master key [C]ertify, and two sub keys [S]ignature, [E]ncryption:

sec  rsa4096/161C667B11784BF7
     created: 2023-01-31  expires: never       usage: C
     trust: ultimate      validity: ultimate
     
ssb  rsa4096/88614F297B2B2542
     created: 2023-01-31  expires: never       usage: S
     
ssb  rsa4096/3272622E5D653058
     created: 2023-01-31  expires: never       usage: E
     
[ultimate] (1). John Doe (My demo key) <johndoe@email.com>

SUBKEY [A]

Create a subkey with the [A]uthenticate capability.

Execute the command:

addkey

Select the options pasted below:

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
>  (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
  
Your selection? 8

Possible actions for this RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt

>  (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? S

Possible actions for this RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt

   (S) Toggle the sign capability
>  (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? E

Possible actions for this RSA key: Sign Encrypt Authenticate
Current allowed actions:

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
>  (A) Toggle the authenticate capability
   (Q) Finished

Your selection? A

Possible actions for this RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
>  (Q) Finished

Your selection? Q

Select (6) RSA (encrypt only)

For key size, enter 4096

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096

Select an expiration time:

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
      
Key is valid for? (0) 0

Confirm your changes.

You will be prompted to enter the passphrase you selected when you made the Masterkey in the steps above. Enter that passphrase.

Move your mouse around to generate entropy.

Your list should look similar to the following:

sec  rsa4096 / 161C667B11784BF7
     created:  2023-01-31  expires: never       usage: C
     trust:    ultimate    validity: ultimate
     
ssb  rsa4096 / 88614F297B2B2542
     created:  2023-01-31  expires: never       usage: S
     
ssb  rsa4096 / 3272622E5D653058
     created:  2023-01-31  expires: never       usage: E
     
ssb  rsa4096 / F8BD0C1A3EB787A2
     created:  2023-01-31  expires: never       usage: A
     
[ultimate] (1). John Doe (My demo key) <johndoe@email.com>

Type save and the word quit

❊ Overview

You now have a GPG key pair with one master key strictly assigned to certify any new subkeys in the future, and three subkeys.

Key ID

Type

Capability

Master

Sub

161C667B11784BF7

[sec] Secret Key

Certify

88614F297B2B2542

[ssb] Secret Sub

Sign

3272622E5D653058

[ssb] Secret Sub

Encrypt

F8BD0C1A3EB787A2

[ssb] Secret Sub

Authenticate

❊ Export

Export your keys to a location on your device with the command:

gpg --list-secret-keys --keyid-format=short

A list of your keys will appear:

sec   rsa4096/11784BF7 2023-01-31 [C]
      848103E9F1FFEC33DDD58C2B161C667B11784BF7
uid         [ultimate] John Doe (My demo key) <johndoe@email.com>
ssb   rsa4096/7B2B2542 2023-01-31 [S]
ssb   rsa4096/5D653058 2023-01-31 [E]
ssb   rsa4096/3EB787A2 2023-01-31 [A]

Copy the key id on the top key labeled sec

PUBLIC KEY

Export your public key, enter your key id and tell the command where to export:

gpg --output "C:\path\yourkey_pub.gpg" --export 11784BF7

PRIVATE KEY

Export your private key, enter your key id and tell the command where to export:

gpg --output "C:\path\yourkey_priv.gpg" --export-secret-key 11784BF7

Take note of the command difference between exporting your public and private keys.

To export your public key, use the command --export To export your private key, use the command --export-secret-key

SUBKEY

To export a subkey, use the command below and change the path / key id.

gpg --output "C:\path\yourkey_subkey_priv.gpg" --export-secret-subkeys 7B2B2542
gpg --output "C:\path\yourkey_subkey_priv.gpg" --export-secret-subkeys 5D653058
gpg --output "C:\path\yourkey_subkey_priv.gpg" --export-secret-subkeys 3EB787A2

OPENSSH

Export your SSH key, copy your master key id and execute:

gpg --output "C:\path\yourkey_ssh_rsa.pub" --export-ssh-key 11784BF7

When exporting your SSH key, you can use either your master key id, or your [A]uthenticate key id. You cannot export an SSH key using the [S] and [E] keys.

UPLOAD TO KEYSERVER

To upload your GPG key to an online keyserver; you can utilize one of the following commands. Be sure to replace 11784BF7 with your master key id.

gpg --send-key 11784BF7
gpg --keyserver pgp.mit.edu --send-key 11784BF7
gpg --keyserver keys.gnupg.net --send-key 11784BF7
gpg --keyserver hkps://keyserver.ubuntu.com:443 --send-key 11784BF7

If you'd like to upload your exported GPG key to a keyserver using a physical interface, check out the list of keyserver websites on the GPG Introduction page.

❊ Import to Yubikey

Unlike the PIV interface, there is no GUI (graphical user interface) that allows you to directly import your GPG keys using a program such as Yubikey Manager.

Select your method of importing:

⭕With Commandline ⭕With Kleopatra

PreviousWith Yubikey NextWith Kleopatra

Last updated 2 years ago

Was this helpful?