# With Commandline
{% hint style="info" %}
Before getting started, make sure you have configured your Yubikey with PINs that you have assigned and not the default PINs that come with the Yubikey.
\
[**Read about configuring your GPG PINs here.**](/yubikey5/gpg/getting-started/2.-pins.md)
{% endhint %}
{% hint style="info" %}
This guide requires one device of any in the following categories:
* [x] [YubiKey 5 Series](https://www.yubico.com/store/#yubikey-5-series)
* [x] [YubiKey 5 FIPs Series](https://www.yubico.com/store/#yubikey-5-fips-series)
{% endhint %}
## ❊ Before You Start
We highly recommend before continuing with this guide that you view the [**GPG Introduction**](/yubikey5/gpg/generate-keys/introduction.md) page for a brief description of what GPG keys do and the differences between Yubikey vs Software generated keys. It only takes a minute.
## ❊ Generating Keys
This section utilizing the **gpg command-line** to generate keys. Be sure to have GPG installed. If unsure, read the [**GPG installation guide**](/yubikey5/guides/setting-up-cli-gpg.md).
### MASTER KEY \[C]
Launch **Command Prompt**, **Terminal**, or **Powershell**.
Run command:
```
gpg --expert --full-generate-key
```
You will see a list of options:
```properties
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
> (8) RSA (set your own capabilities)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(13) Existing key
(14) Existing key from card
```
Select **`(8) RSA (set your own capabilities)`**
You will be asked a series of questions. Select the options below:
```properties
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
(S) Toggle the sign capability
> (E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? E
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify
> (S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? S
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
> (Q) Finished
Your selection? Q
```
When asked for the desired key size, select **`4096`**
```properties
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
```
Specify when you want the key to expire:
```properties
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
```
Enter your name, email address, and a comment for the key:
```properties
GnuPG needs to construct a user ID to identify your key.
Real name: Your Name
Email address: your@emailaddress.com
Comment: A comment to recognize your key
```
GPG will then confirm your answers:
```properties
You selected this USER-ID:
"Oort "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
```
Select **`O`** for **`(O)kay`**
You will be prompted for a password / passphrase either via a dialog box like the screenshot below, or in the console window:
Create a strong passphrase and press OK.
If you create a weak password, it will warn you to change it.
GPG will request you to move your mouse:
```properties
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
```
Simply move your mouse, open/close windows. Do as many actions on your device as you can while it generates to help with entropy.
The system will output a path to your revocation certificate. Save this file somewhere.
```properties
gpg: revocation certificate stored as 'C:\\Users\\aetherinox\\AppData\\Roaming\\gnupg\\openpgp-revocs.d\\848103E9F1FFEC33DDD58C2B161C667B11784BF7.rev'
public and secret key created and signed.
```
GPG will display your generated key:
```sas
pub rsa4096 2023-01-31 [C]
848103E9F1FFEC33DDD58C2B161C667B11784BF7
uid John Doe (My demo key)
```
You'll notice that this is only the **`[C]`**ertify key. We're missing **`[A]`**uthentication, **`[S]`**ignature and **`[E]`**ncryption.
### SUBKEY \[S]
Next, create a subkey with the **`[S]ignature`** capability.
Take note of the **`key id`** that is provided in the console. In this example we'll use **`848103E9F1FFEC33DDD58C2B161C667B11784BF7`**
Execute command:
```livescript
gpg --expert --edit-key 848103E9F1FFEC33DDD58C2B161C667B11784BF7
```
Console will go into gpg edit mode and show your key info:
```sass
sec rsa4096/161C667B11784BF7
created: 2023-01-31 expires: never usage: C
trust: ultimate validity: ultimate
[ultimate] (1). John Doe (My demo key)
gpg>
```
Execute command:
```
addkey
```
You will be presented with a list of options:
```properties
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
(14) Existing key from card
```
Select **`(4) RSA (sign only)`**
You will then be asked for a key size. Enter **`4096`**
```
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
```
Set an expiration time:
```properties
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
```
Confirm your changes.
You will be prompted to enter the passphrase you selected when you made the [**Masterkey** ](#master-key-c)in the steps above. Enter that passphrase.
Move your mouse around to generate entropy.
We now have a master key **`[C]ertify`**, and one sub key **`[S]ignature`**:
```sass
sec rsa4096/161C667B11784BF7
created: 2023-01-31 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/88614F297B2B2542
created: 2023-01-31 expires: never usage: S
[ultimate] (1). John Doe (My demo key)
```
### SUBKEY \[E]
Create a subkey with the **`[E]ncryption`** capability.
Execute the command:
```
addkey
```
You will be presented with a list of options:
```properties
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
(14) Existing key from card
```
Select **`(6) RSA (encrypt only)`**
For key size, enter **`4096`**
```
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
```
Select an expiration time:
```properties
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
```
Confirm your changes.
You will be prompted to enter the passphrase you selected when you made the [**Masterkey** ](#master-key-c)in the steps above. Enter that passphrase.
Move your mouse to generate entropy.
We now have a master key **`[C]ertify`**, and two sub keys **`[S]ignature,`****` `****`[E]ncryption`**:
```sass
sec rsa4096/161C667B11784BF7
created: 2023-01-31 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/88614F297B2B2542
created: 2023-01-31 expires: never usage: S
ssb rsa4096/3272622E5D653058
created: 2023-01-31 expires: never usage: E
[ultimate] (1). John Doe (My demo key)
```
### SUBKEY \[A]
Create a subkey with the **`[A]uthenticate`** capability.
Execute the command:
```
addkey
```
Select the options pasted below:
```properties
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
> (8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
(14) Existing key from card
Your selection? 8
Possible actions for this RSA key: Sign Encrypt Authenticate
Current allowed actions: Sign Encrypt
> (S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? S
Possible actions for this RSA key: Sign Encrypt Authenticate
Current allowed actions: Encrypt
(S) Toggle the sign capability
> (E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? E
Possible actions for this RSA key: Sign Encrypt Authenticate
Current allowed actions:
(S) Toggle the sign capability
(E) Toggle the encrypt capability
> (A) Toggle the authenticate capability
(Q) Finished
Your selection? A
Possible actions for this RSA key: Sign Encrypt Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
> (Q) Finished
Your selection? Q
```
Select **`(6) RSA (encrypt only)`**
For key size, enter **`4096`**
```
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
```
Select an expiration time:
```properties
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
```
Confirm your changes.
You will be prompted to enter the passphrase you selected when you made the Masterkey in the steps above. Enter that passphrase.
Move your mouse around to generate entropy.
Your list should look similar to the following:
```sass
sec rsa4096 / 161C667B11784BF7
created: 2023-01-31 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096 / 88614F297B2B2542
created: 2023-01-31 expires: never usage: S
ssb rsa4096 / 3272622E5D653058
created: 2023-01-31 expires: never usage: E
ssb rsa4096 / F8BD0C1A3EB787A2
created: 2023-01-31 expires: never usage: A
[ultimate] (1). John Doe (My demo key)
```
Type **`save`** and the word **`quit`**
## ❊ Overview
You now have a GPG key pair with one master key strictly assigned to certify any new subkeys in the future, and three subkeys.
Key ID
Type
Capability
Master
Sub
161C667B11784BF7
[sec] Secret Key
Certify
88614F297B2B2542
[ssb] Secret Sub
Sign
3272622E5D653058
[ssb] Secret Sub
Encrypt
F8BD0C1A3EB787A2
[ssb] Secret Sub
Authenticate
## ❊ Export
Export your keys to a location on your device with the command:
```
gpg --list-secret-keys --keyid-format=short
```
A list of your keys will appear:
```
sec rsa4096/11784BF7 2023-01-31 [C]
848103E9F1FFEC33DDD58C2B161C667B11784BF7
uid [ultimate] John Doe (My demo key)
ssb rsa4096/7B2B2542 2023-01-31 [S]
ssb rsa4096/5D653058 2023-01-31 [E]
ssb rsa4096/3EB787A2 2023-01-31 [A]
```
Copy the **key id** on the top key labeled **`sec`**
### PUBLIC KEY
Export your public key, enter your key id and tell the command where to export:
```
gpg --output "C:\path\yourkey_pub.gpg" --export 11784BF7
```
### PRIVATE KEY
Export your private key, enter your key id and tell the command where to export:
```
gpg --output "C:\path\yourkey_priv.gpg" --export-secret-key 11784BF7
```
{% hint style="info" %}
Take note of the command difference between exporting your public and private keys.
To export your public key, use the command **`--export`**\
To export your private key, use the command **`--export-secret-key`**
{% endhint %}
### SUBKEY
To export a subkey, use the command below and change the path / key id.
```
gpg --output "C:\path\yourkey_subkey_priv.gpg" --export-secret-subkeys 7B2B2542
gpg --output "C:\path\yourkey_subkey_priv.gpg" --export-secret-subkeys 5D653058
gpg --output "C:\path\yourkey_subkey_priv.gpg" --export-secret-subkeys 3EB787A2
```
### OPENSSH
Export your SSH key, copy your master key id and execute:
```
gpg --output "C:\path\yourkey_ssh_rsa.pub" --export-ssh-key 11784BF7
```
{% hint style="info" %}
When exporting your SSH key, you can use either your **master key** id, or your **\[A]uthenticate** key id. You cannot export an SSH key using the \[S] and \[E] keys.
{% endhint %}
### UPLOAD TO KEYSERVER
To upload your GPG key to an online keyserver; you can utilize one of the following commands. Be sure to replace **`11784BF7`** with your master key id.
```
gpg --send-key 11784BF7
gpg --keyserver pgp.mit.edu --send-key 11784BF7
gpg --keyserver keys.gnupg.net --send-key 11784BF7
gpg --keyserver hkps://keyserver.ubuntu.com:443 --send-key 11784BF7
```
If you'd like to upload your exported GPG key to a keyserver using a physical interface, check out the list of keyserver websites on the [**`GPG Introduction page`**](/yubikey5/gpg/generate-keys/introduction.md#popular-keyservers).
## ❊ Import to Yubikey
Unlike the PIV interface, there is no GUI (graphical user interface) that allows you to directly import your GPG keys using a program such as Yubikey Manager.
Select your method of importing:
{% content-ref url="/pages/YsVoLhZ30MF8iHuxtSyW" %}
[With Commandline](/yubikey5/gpg/import-to-yubikey/with-commandline.md)
{% endcontent-ref %}
{% content-ref url="/pages/HBlghcDqmSylMuGpG2q5" %}
[With Kleopatra](/yubikey5/gpg/import-to-yubikey/with-kleopatra.md)
{% endcontent-ref %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://yubico.gitbook.io/yubikey5/gpg/generate-keys/with-commandline.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.