Easy GnuPG key generation tool.
The process of generating a new GnuPG key -- and all the sub-keys -- can be tedious and a bit confusing.
So, here's a script that performs the following tasks (most of which can be toggled):
- Generate a 4096-bit RSA master key capable of certification and set to expire two years from now.
- Generate three 4096-bit RSA sub-keys capable of signing, encryption and authentication respectively and set to expire one year from now.
- Export and symmetrically encrypt a gzipped tar-ball containing both an ascii armored and qr-encoded revocation certificate for the master key.
- Export the protected secret key, protected secret sub-keys and public key to individual files.
- Create some informative files for the new key, including:
- Remove the master (certification) key from the GnuPG keyring, but keep the sub-keys (capable of signing, encryption and authentication).
The primary dependency is GnuPG stable, v2.0.XX. The software was developed using GnuPG-v2.0.22 and has been adapted to work with GnuPG-v2.1.26 modern. It will not work with GnuPG-v1.4.xx classic, though adding support for this version of GnuPG is certainly possible.
On Debian flavored GNU/Linux (e.g. Ubuntu), the following should suffice to install the required dependencies:
sudo apt-get install gpgv2
On OS X / macOS, you can choose to install the [GPG Suite](https://gpgtools.org/gpgsuite.html - GnuPG v2 only at the present time) or use the Homebrew or MacPorts package for GnuPG v2 or v2.1:
brew install gnupg2
or
brew install gnupg21
Additionally, you will also need to install gnu-getopt
,
a command-line option parsing library.
brew install gnu-getopt
Since OS X / macOS already ships with getopt(1)
, you will need to
force-link this keg-only formula:
brew link --force gnu-getopt
You should unlink this formula after using the script to avoid trouble with OS X / macOS.
brew unlink gnu-getopt
port install gnupg2
or
port install gnupg21
As for Homebrew, install the GNU getopt command-line parser:
port install getopt
Both qrencode and paperkey will enhance the output, if installed.
sudo apt-get install qrencode paperkey
brew install qrencode paperkey
port install qrencode paperkey
This software was developed on Debian flavored GNU/Linux and uses
the Unix philosophy
by combining the standard tools like
getopt
, which
, mktemp
, grep
, awk
, mkdir
, head
, and shred
.
Mileage may vary for users of Unix derived systems (like *BSD and OS X).
Unix users may need to install
getopt(1)
in order to use this software.
This software is a self contained bash script. It should, therefore, suffice to copy the script to a global path:
sudo cp gneasy-genkey.sh /usr/local/bin/gneasy-genkey
sudo chmod o=rwx,g=rx,o=rx /usr/local/bin/gneasy-genkey
This software is designed to automatically implement the procedure outlined in Generating More Secure GPG Keys: A Step-by-Step Guide by Mike English, using the hardening options for GnuPG outlined by OpenPGP Best Practices from the RiseUp Collective and duraconf by ioerror.
Calling
gneasy-genkey "Testy McTesterson <[email protected]>"
will perform the tasks outlined above for a user id
Testy McTesterson <[email protected]>
.
By default the exported files are saved in a directory named after the
key-id of the generated key, i.e. 0x1234567890ABDCED/
Note that extra UIDs can be added with comma separation:
gneasy-genkey "Testy McTesterson <[email protected]>,Test Testerson <[email protected]>,<@testy>"
Photos (which should be JPEG images named with a .jpg
or .jpeg
filename
extension) can be added using the --photo
option followed by the image filename,
with relative paths being resolved against the current working directory:
gneasy-genkey --photo testy.jpg "Testy McTesterson <[email protected]>"
Any number of photos can be added by specifying --photo
and a filename multiple times.
GnuPG suggests keeping image sizes to around 240x288 pixels and issues a warning and asks
for confirmation for files greater than 6KB in size. Note that this script will silently
acknowledge these confirmation requests.
Consider adding the show-photos
option to the list-options
and/or verify-options
lines in the gpg.conf
configuration file to have GnuPG automatically display available
photos when listing and verifying keys respectively.
Usage: gneasy-genkey <uid> [options]
Easy GnuPG key generation tool.
Arguments:
<uid> User-id(s) for the generated key. Format is "Name <email>".
Options:
-S, --size Size (length) in bits of master key.
Range is [1024, 4096]. Default is 4096.
-L, --lifetime Lifetime (expiration time) of master key.
Format is that of GnuPG: 0 = no expiration,
<n> = n days, <n>w = n weeks, <n>m = n months,
<n>y = n years. Default is 2y.
-s, --sub-size Size of sub-keys in bits.
Range and default same as --size.
-l, --sub-lifetime Lifetime of sub-keys.
Format is same as --lifetime. Default is 1y.
--no-sign Do not generate a sub-key for signing.
--no-encr Do not generate a sub-key for encryption.
--no-auth Do not generate a sub-key for authentication.
--otr Generate a 1024-bit DSA sub-key for authentication.
--policy-url Set the policy URL (rfc4880:5.2.3.20).
--out-dir Directory for export output; created if not present.
Default is key-id of the master key.
--no-export Do not export keys, revocation or summary.
--no-revoke Do not export revocation certificate.
--no-export-pub Do not export public key.
--no-export-sec Do not export secret keys.
--no-export-sub Do not export secret sub-keys.
--no-paperkey Do not export secret keys as paperkey.
--no-info Do not export key summary information.
--no-calendar Do not export iCalendar for key expiration dates.
--no-qr Do not export QR-code with uid and fingerprint.
--no-vcard Do not export vcard with contact information.
--keep-master Keep the master key in the GnuPG keyring.
--photo Name of a JPEG image file to be added as a uid
--gnupg-home Home directory for GnuPG. Default is '~/.gnupg'.
--quiet Disable regular terminal output but show errors.
--silent Disable all terminal output.
-h, --help Print this help and exit.
-v, --version Print version information and exit.
--version-num Print version number <major.minor.patch> and exit.
--copyright Print copyright & license information and exit.
Developers might find the following flags useful:
--debug Print some debugging messages
--show-tty Show the terminal interaction with GnuPG
--bash-debug Also echo all bash commands
The following flags (and options) are automatically passed to
gpg2
and cannot be controlled by gneasy-genkey
from the command-line
(e.g. without editing the script).
In order to properly control GnuPG all calls to gpg2
contain the flags:
--display-charset utf-8
--expert
--no-greeting
--quiet
--no-verbose
--no-tty
In keeping with
OpenPGP Best Practices,
all calls to gpg2
contain the flags:
--keyid-format 0xlong
--with-fingerprint
--no-emit-version
--personal-cipher-preferences "AES256 AES192 AES CAST5"
--personal-digest-preferences "SHA512 SHA384 SHA256 SHA224"
--default-preference-list "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed"
The extra flags used for the GnuPG genkey
command are:
--s2k-cipher-algo AES256
--s2k-digest-algo SHA512
--s2k-mode 3
--s2k-count 65011712
The extra flags used for symmetrically encrypting sensitive files (like the revocation certificate) are:
--cipher-algo AES256
--digest-algo SHA512
Sensitive temporary files are written to the output directory
and shred
-ed on exit (when shred
/srm
are available).
GnuPG "state-machine" command-/status-/output-/attribute-/logger- files
are written to /tmp/egk-XXXXXXXXXX/
.
These files do not contain particularly sensitive information
and are deleted (e.g. rm
-ed) on exit.
gneasy-genkey
is software libre;
you are free to modify and share this software under the terms of the
GNU General Public License, version 3.0
The general outline of the tasks performed by this software was inspired by Generating More Secure GPG Keys: A Step-by-Step Guide by Mike English. The flags/options passed to GnuPG are those suggested by OpenPGP Best Practices from the Riseup Collective and duraconf from ioerror.
The crucial part of this script is the "state-machine" that automates interaction with GnuPG. That such interaction was even possible and the initial example of which was found at the GnuPG users mailing list archive #67792.
Small snippets and other inspiration were lifted from the monkeysphere code.
Testy McTesterson photo (file test/testy.jpg
) renamed from POV-cat
by Pauledork (240x240px version) licensed under
CC BY-SA 3.0
Special thanks to:
- ruimarinho for adding OS X functionality;
- codebrewer for a number of nifty add-ons
Please contribute to this project.
You can submit a new issue or help with a current issue.
You can also donate bitcoin: 1ZCTTQPrfeYjUosgD4GUkVA1bdKwiTpwm