How to Generate GPG Keys

This process is mostly based on the guidance provided at https://blog.tinned-software.net/create-gnupg-key-with-sub-keys-to-sign-encrypt-authenticate/

Initial Setup

Create a separate directory somewhere secure and set it as the GNUPGHOME environment variable.

mkdir ~/packages_service
chmod 0700 ~/packages_service
export GNUPGHOME=~/packages_service/

To ensure plenty of random data I installed the rng-tools package and started the service:

apt install rng-tools
systemctl start rng-tools

gpg insists on using pinentry to get the new passphrase, by default this will use some horrid gnome app which steals focus. To make this easier to work with I switched to the tty version:

apt install pinentry-tty
update-alternatives --config pinentry
There are 3 choices for the alternative pinentry (providing /usr/bin/pinentry).

  Selection    Path                      Priority   Status
------------------------------------------------------------
* 0            /usr/bin/pinentry-gnome3   90        auto mode
  1            /usr/bin/pinentry-curses   50        manual mode
  2            /usr/bin/pinentry-gnome3   90        manual mode
  3            /usr/bin/pinentry-tty      30        manual mode

Press <enter> to keep the current choice[*], or type selection number: 3
update-alternatives: using /usr/bin/pinentry-tty to provide /usr/bin/pinentry (pinentry) in manual mode

Master Key

This was done using gpg version 2.2.12. on Debian stable/buster, the supported options will vary depending on the version used.

The aim is to create an RSA of size 4096, by using the (set your own capabilities) facility I've also disabled Sign and Authenticate capabilities so that this master key can only be used to certify other keys (i.e. the signing subkeys), the clients will trust the master key.

I've chosen to give the key a 10 year lifetime but it could be set to never expire, the signing subkeys will have shorter lifetimes.

For the passphrase I used a very long string of random characters, you want to copy that (Ctrl-c style) before starting this process so you can paste (Ctrl-v) into the pinentry dialog (it seems to steal focus once launched so you can't interact with any other window). The password can be generated using a tool like pwgen (provided in the Debian/Ubuntu package of that name), e.g. pwgen 32 1 which would generate a single password of 32 characters length.

gpg --expert --full-generate-key
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
Your selection? 8

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Sign Certify Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? S

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Certify Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? E

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Certify 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? Q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 10y
Key expires at Fri 20 Jul 2029 11:05:45 BST
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Informatics Packages Service
Email address: pkgaccess@inf.ed.ac.uk
Comment: 
You selected this USER-ID:
    "Informatics Packages Service <pkgaccess@inf.ed.ac.uk>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/stephen/packages_service/trustdb.gpg: trustdb created
gpg: key 75CF451B2A5F26E3 marked as ultimately trusted
gpg: directory '/home/stephen/packages_service/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/stephen/packages_service/openpgp-revocs.d/C20F71369731E987399E35ED75CF451B2A5F26E3.rev'
public and secret key created and signed.

pub   rsa4096 2019-07-23 [C] [expires: 2029-07-20]
      C20F71369731E987399E35ED75CF451B2A5F26E3
uid                      Informatics Packages Service <pkgaccess@inf.ed.ac.uk>

-- StephenQuinney - 23 Jul 2019

Topic revision: r2 - 02 Aug 2019 - 09:16:29 - StephenQuinney
 
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies