GPG
Yubico
Bitwarden
GPG Tools
Donate Coffee

With Kleopatra

Instructions on generating GPG keys using the program Kleopatra for Windows / Linux.

Before getting started, make sure you have configured your Yubikey with PINs that you have assigned and not the default PINs that come with the Yubikey.

Read about configuring your GPG PINs here.

This guide requires one device of any in the following categories:

❊ Before You Start

We highly recommend before continuing with this guide that you view the GPG Introduction page for a brief description of what GPG keys do and the differences between Yubikey vs Software generated keys. It only takes a minute.

❊ Notes

Even though Kleopatra is a decent program, we recommend generating your keys using another program such as the GPG commandline.

When generating your master and subkeys; Kleopatra will only allow you to select the capabilities you want to have for your keypair at the beginning of the generation process.

Once you have generated your master and subkeys, Kleopatra will not let you add / modify subkeys from that point forward.

Kleopatra also does not allow you to apply the [C]ertify capability alone to the master key. It allows for the following setup:



       RECOMMENDED         KLEOPATRA
         KLEOPATRA 
        KLEOPATRA

                           OPTION 1
          OPTION 2 
         OPTION 3
   ┌─────────────────┐
 ┌────────────────┐ ┌────────────────┐ ┌────────────────┐
   │    MASTER [C]   │
 │   MASTER [C]   │ │  MASTER [C][S] │ │MASTER [C][S][A]│
   └────────┬────────┘
 └────────┬───────┘ └────────┬───────┘ └────────┬───────┘
            │                   │
                  │
                  │
     ┌──────┴──────┐     ┌──────┴─────┐ 
    ┌──────┴─────┐ 
    ┌──────┴─────┐
     │  SUBKEY [S] │     │ SUBKEY [E] │ 
    │ SUBKEY [E] │ 
    │ SUBKEY [E] │
     └──────┬──────┘     └────────────┘     └────────────┘     └────────────┘

     ┌──────┴──────┐
     │  SUBKEY [E] │
     └──────┬──────┘

     ┌──────┴──────┐
     │  SUBKEY [A] │
     └─────────────┘

In order to have the [C]ertify capability alone on your master key, you would have to completely disable having a [S]ignature or [A]uthentication key generated.

If you find these options acceptable for your needs, then you can proceed forward. But we figured we'd at least put this warning out there as this may not be ideal for some people. The GPG command-line will always give you the most control over how your keys are structured.

❊ Generating Keys

Open the software Kleopatra.

Select File -> New OpenPGP Key Pairs ...

Enter your name, email address, and check if you want the key to be generated with a passphrase.

For this example, we're going to select RSA, and set the sizes to 4096 bits since that is the latest that a Yubikey 5 supports.

At the bottom, select which usages you wish to apply to your master and subkey.

No matter which ones you select, [E]ncryption will always be applied to a subkey, and your other usage selections will be on your master key.

Once you finish, press OK and OK again. You should see a progress bar start as it generates your keys:

If the system prompts you for a pasphrase, enter one to use with your key.

Kleopatra will announce that your keys have been generated.

You should now see your newly generated key back on the home screen interface.

Right click on the key, and select Details.

You will now see your master key, and your subkey.

IDMasterUsage / Capabilities

BB6E 1E56 3FFF D354

Certify, Sign, Authenticate

2BA5 AB27 AC69 F24D

Encrypt

Select the 2nd key in your list which is shown as your [E]ncrypt subkey, and you'll see more options to choose from.

❊ Export Keys

This section explains how to export your generated keys to local files that you can use to import later.

PRIVATE KEYS

You have the ability to export the private / secret keys from two locations.

The first location is by right-clicking on the subkey in the subkey details panel and selecting Export Secret Key.

The other location is by going back to the home screen interface and right-clicking on your key in that list.

Select Backup Secret Keys. You will then be asked where you want to save the files.

PUBLIC KEYS

By going back to that right-click menu, the other option you'll notice is Export...

This option allows you to export your public key somewhere on your computer.

OpenSSH

If you return to the subkeys panel and right click on the master key, you will be given the option to Export OpenSSH key. If you're planning on utilizing this keypair for SSH authentication, you will need to export the OpenSSH public key somewhere on your computer and transfer it over to your server.

REVOCATION CERTIFICATE

Clicking this button will make a large file manager dialog box appear.

You will be asked where you want to save your .rev revocation certificate.

The revocation certificate should be kept in a safe spot. It is used to mark your key as invalid - in case you lost your secret key, or your key has been compromised.

❊ Import to Yubikey

The following instructions explain how to send your GPG keys to your Yubikey.

This menu is where you will perform various tasks including Transfer to smartcard.

When selected, your GPG subkey will be exported to the correct slot on your Yubikey.

You can confirm the transfer by clicking the Smartcard within Kleopatra after you've transferred your GPG keys over to the device.

If this option is greyed out, completely close Kleopatra, unplug your Yubikey, wait a few seconds, plug it back in, and re-launch Kleopatra.

❊ Closing

Kleopatra nice a decent program in regards to certain features, however, is severely lacking when it comes to other things such as more control over subkeys. As stated before, if you want a lot of control over how your keys are generated; it's recommended that you check out the Key Generation with Command-Line guide.

PreviousWith CommandlineNextWith Commandline

Last updated