Easy GnuPG key generation tool.
The process of generating a new GnuPG key -- and all the sub-keys -- can be tedious and a bit confusing.
So, here's a script that performs the following tasks (most of which can be toggled):
- Generate a 4096-bit RSA master key capable of certification and set to expire two years from now.
- Generate three 4096-bit RSA sub-keys capable of signing, encryption and authentication respectively and set to expire one year from now.
- Export and symmetrically encrypt a gzipped tar-ball containing both an ascii armored and qr-encoded revocation certificate for the master key.
- Export the protected secret key, protected secret sub-keys and public key to individual files.
- Create some informative files for the new key, including:
- Remove the master (certification) key from the GnuPG keyring, but keep the sub-keys (capable of signing, encryption and authentication).
The primary dependency is GnuPG stable, v2.0.XX. The software was developed using GnuPG-v2.0.22 but might work with GnuPG-v2.1.xx modern. It will not work with GnuPG-v1.4.xx classic, though adding support for this version of GnuPG is certainly possible.
On Debian flavored GNU/Linux (e.g. Ubuntu), the following should suffice to install the required dependencies:
sudo apt-get install gpgv2On OSX, you can choose to install the GPG Suite or use the Homebrew package for GnuPG v2:
brew install gnupg2Additionally, you will also need to install gnu-getopt,
a command-line option parsing library.
brew install gnu-getoptSince OSX already ships with getopt(1), you will need to
force-link this keg-only formula:
brew link --force gnu-getoptYou should unlink this formula after using the script to avoid trouble with OSX.
brew unlink gnu-getoptBoth qrencode and paperkey will enhance the output, if installed.
sudo apt-get install qrencode paperkeybrew install qrencode paperkeyThis software was developed on Debian flavored GNU/Linux and uses
the Unix philosophy
by combining the standard tools like
getopt, which, mktemp, grep, awk, mkdir, head, and shred.
Mileage may vary for users of Unix derived systems (like *BSD and OSX).
Unix users may need to install
getopt(1)
in order to use this software.
This software is a self contained bash script. It should, therefore, suffice to copy the script to a global path:
sudo cp gneasy-genkey.sh /usr/local/bin/gneasy-genkey
sudo chmod o=rwx,g=rx,o=rx /usr/local/bin/gneasy-genkeyThis software is designed to automatically implement the procedure outlined in Generating More Secure GPG Keys: A Step-by-Step Guide by Mike English, using the hardening options for GnuPG outlined by OpenPGP Best Practices from the RiseUp Collective and duraconf by ioerror.
Calling
gneasy-genkey "Testy McTesterson <testy@mctesterson.test>"will perform the tasks outlined above for a user id
Testy McTesterson <testy@mctesterson.test>.
By default the exported files are saved in a directory named after the
key-id of the generated key, i.e. 0x1234567890ABDCED/
Note that extra UIDs can be added with comma separation:
gneasy-genkey "Testy McTesterson <testy@mctesterson.test>,Test Testerson <test@testerson.tst>,<@testy>"Usage: gneasy-genkey <uid> [options]
Easy GnuPG key generation tool.
Arguments:
<uid> User-id(s) for the generated key. Format is "Name <email>".
Options:
-S, --size Size (length) in bits of master key.
Range is [1024, 4096]. Default is 4096.
-L, --lifetime Lifetime (expiration time) of master key.
Format is that of GnuPG: 0 = no expiration,
<n> = n days, <n>w = n weeks, <n>m = n months,
<n>y = n years. Default is 2y.
-s, --sub-size Size of sub-keys in bits.
Range and default same as --size.
-l, --sub-lifetime Lifetime of sub-keys.
Format is same as --lifetime. Default is 1y.
--no-sign Do not generate a sub-key for signing.
--no-encr Do not generate a sub-key for encryption.
--no-auth Do not generate a sub-key for authentication.
--otr Generate a 1024-bit DSA sub-key for authentication.
--policy-url Set the policy URL (rfc4880:5.2.3.20).
--out-dir Directory for export output; created if not present.
Default is key-id of the master key.
--no-export Do not export keys, revocation or summary.
--no-revoke Do not export revocation certificate.
--no-export-pub Do not export public key.
--no-export-sec Do not export secret keys.
--no-export-sub Do not export secret sub-keys.
--no-paperkey Do not export secret keys as paperkey.
--no-info Do not export key summary information.
--no-calendar Do not export iCalendar for key expiration dates.
--no-qr Do not export QR-code with uid and fingerprint.
--no-vcard Do not export vcard with contact information.
--keep-master Keep the master key in the GnuPG keyring.
--gnupg-home Home directory for GnuPG. Default is '~/.gnupg'.
--quiet Disable regular terminal output but show errors.
--silent Disable all terminal output.
-h, --help Print this help and exit.
-v, --version Print version information and exit.
--version-num Print version number <major.minor.patch> and exit.
--copyright Print copyright & license information and exit.
Developers might find the following flags useful:
--debug Print some debugging messages
--show-tty Show the terminal interaction with GnuPG
--bash-debug Also echo all bash commands
The following flags (and options) are automatically passed to
gpg2 and cannot be controlled by gneasy-genkey from the command-line
(e.g. without editing the script).
In order to properly control GnuPG all calls to gpg2 contain the flags:
--display-charset utf-8
--expert
--no-greeting
--quiet
--no-verbose
--no-tty
In keeping with
OpenPGP Best Practices,
all calls to gpg2 contain the flags:
--keyid-format 0xlong
--with-fingerprint
--no-emit-version
--personal-cipher-preferences "AES256 AES192 AES CAST5"
--personal-digest-preferences "SHA512 SHA384 SHA256 SHA224"
--default-preference-list "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed"
The extra flags used for the GnuPG genkey command are:
--s2k-cipher-algo AES256
--s2k-digest-algo SHA512
--s2k-mode 3
--s2k-count 65011712
The extra flags used for symmetrically encrypting sensitive files (like the revocation certificate) are:
--cipher-algo AES256
--digest-algo SHA512
Sensitive temporary files are written to the output directory
and shred-ed on exit (when shred/srm are available).
GnuPG "state-machine" command-/status-/output-/attribute-/logger- files
are written to /tmp/egk-XXXXXXXXXX/.
These files do not contain particularly sensitive information
and are deleted (e.g. rm-ed) on exit.
gneasy-genkey is software libre;
you are free to modify and share this software under the terms of the
GNU General Public License, version 3.0
The general outline of the tasks performed by this software was inspired by Generating More Secure GPG Keys: A Step-by-Step Guide by Mike English. The flags/options passed to GnuPG are those suggested by OpenPGP Best Practices from the Riseup Collective and duraconf from ioerror.
The crucial part of this script is the "state-machine" that automates interaction with GnuPG. That such interaction was even possible and the initial example of which was found at the GnuPG users mailing list archive #67792.
Small snippets and other inspiration were lifted from the monkeysphere code.
Special thanks to ruimarinho for adding OSX functionality.
Please contribute to this project.
You can submit a new issue or help with a current issue.
You can also donate bitcoin: 1ZCTTQPrfeYjUosgD4GUkVA1bdKwiTpwm