Creating a new GPG key
The following instructions provide a guide to generate a GnuPG key and are based, with permission, on a post to Ana's blog.
$ gpg --list-keys --with-subkey-fingerprint 7A33ECAA188B96F27C917288B3464F896AA15948
pub rsa4096 2009-05-10 [SC]
7A33ECAA188B96F27C917288B3464F896AA15948
uid [ unknown] Ana Beatriz Guerrero López <ana@ekaia.org>
uid [ unknown] Ana Beatriz Guerrero López <ana@debian.org>
sub rsa4096 2009-05-10 [E]
3626E7E07292B683510AF413FAD83EDD2497B8B2
As a side note, we have been often asked why do we mention 2048 bits. We do prefer 4096 bit keys, and if you don't have a reason to require a 2048 bit key, we'd be much happier having the 4096 bit ones. We know of many smartcards that are able to hold only 2048 bit keys, however, and their use is accepted.
Please note that the requirement to migrate away from DSA keys to RSA keys is not only because of the key length, but because of the stronger algorithm as well. (There are classes of failure in traditional DSA that are not present in RSA)
Install Debian gpg package
Ensure the gpg Debian package is installed, providing the GnuPG command line interface.
Update ~/.gnupg/gpg.conf
With GnuPG 2.x , the default options are recommended, and users must simply keep their software up to date. Previously tweaked configurations may be less secure than the defaults, and should be reviewed or deleted.
Create key
user@debian10buster:~$ gpg --gen-key --default-new-key-algo=rsa4096/cert,sign+rsa4096/encr
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Real name: Test User
Email address: test@example.org
You selected this USER-ID:
"Test User <test@example.org>"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key B9ACCA8647EEE39C marked as ultimately trusted
gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/10AD8FDD6D88F8AB92E6158BB9ACCA8647EEE39C.rev'
public and secret key created and signed.
pub rsa4096 2021-05-22 [SC] [expires: 2023-05-22]
10AD8FDD6D88F8AB92E6158BB9ACCA8647EEE39C
uid Test User <test@example.org>
sub rsa4096 2021-05-22 [E] [expires: 2023-05-22]
user@debian10buster:~$
Add other UID
If one needs to add more than one email address to their key, the
--edit-key menu may be used along with the adduid task:
user@debian10buster:~$ gpg --edit-key 10AD8FDD6D88F8AB92E6158BB9ACCA8647EEE39C
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-05-22
sec rsa4096/B9ACCA8647EEE39C
created: 2021-05-22 expires: 2023-05-22 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/D82D266547A12BB5
created: 2021-05-22 expires: 2023-05-22 usage: E
[ultimate] (1). Test User <test@example.org>
gpg> adduid
Real name: Test User Business
Email address: test@business.example
Comment:
You selected this USER-ID:
"Test User Business <test@business.example>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
sec rsa4096/B9ACCA8647EEE39C
created: 2021-05-22 expires: 2023-05-22 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/D82D266547A12BB5
created: 2021-05-22 expires: 2023-05-22 usage: E
[ultimate] (1) Test User <test@example.org>
[ unknown] (2). Test User Business <test@business.example>
gpg> save
user@debian10buster:~$
Set primary UID
(Only needed if you've added more than one UID as above)
user@debian10buster:~$ gpg --edit-key 10AD8FDD6D88F8AB92E6158BB9ACCA8647EEE39C
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-05-22
sec rsa4096/B9ACCA8647EEE39C
created: 2021-05-22 expires: 2023-05-22 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/D82D266547A12BB5
created: 2021-05-22 expires: 2023-05-22 usage: E
[ultimate] (1). Test User Business <test@business.example>
[ultimate] (2) Test User <test@example.org>
gpg> uid 2
sec rsa4096/B9ACCA8647EEE39C
created: 2021-05-22 expires: 2023-05-22 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/D82D266547A12BB5
created: 2021-05-22 expires: 2023-05-22 usage: E
[ultimate] (1). Test User Business <test@business.example>
[ultimate] (2)* Test User <test@example.org>
gpg> primary
sec rsa4096/B9ACCA8647EEE39C
created: 2021-05-22 expires: 2023-05-22 usage: SC
trust: ultimate validity: ultimate
ssb rsa4096/D82D266547A12BB5
created: 2021-05-22 expires: 2023-05-22 usage: E
[ultimate] (1) Test User Business <test@business.example>
[ultimate] (2)* Test User <test@example.org>
gpg> save
user@debian10buster:~$
Send new key to key server
gpg --keyserver keyserver.ubuntu.com --send-key 90A808023328BD4E58143AC5E6CB7939B6C3AAB7Note that since GnuPG 2.1, the
dirmngr utility is invoked by
gpg to access OpenPGP servers and perform the upload and download
of keys.