gneasy-genkey

Easy GnuPG key generation tool.

The process of generating a new GnuPG key -- and all the sub-keys -- can be tedious and a bit confusing.

So, here's a script that performs the following tasks (most of which can be toggled):

1. Generate a 4096-bit RSA master key capable of certification and set to expire two years from now.
2. Generate three 4096-bit RSA sub-keys capable of signing, encryption and authentication respectively and set to expire one year from now.
3. Export and symmetrically encrypt a gzipped tar-ball containing both an ascii armored and qr-encoded revocation certificate for the master key.
4. Export the protected secret key, protected secret sub-keys and public key to individual files.
5. Create some informative files for the new key, including:
   • a paperkey of the protected secret key,
   • a YAML formatted file containing human-readable information about the generated keys,
   • a qr-encoded UID and fingerprint,
   • a contact vCard,
   • an iCal as a reminder of key expiration dates.
6. Remove the master (certification) key from the GnuPG keyring, but keep the sub-keys (capable of signing, encryption and authentication).

Install

Dependencies

GnuPG

The primary dependency is GnuPG stable, v2.0.XX. The software was developed using GnuPG-v2.0.22 and has been adapted to work with GnuPG-v2.1.26 modern. It will not work with GnuPG-v1.4.xx classic, though adding support for this version of GnuPG is certainly possible.

GNU/Linux

On Debian flavored GNU/Linux (e.g. Ubuntu), the following should suffice to install the required dependencies:

sudo apt-get install gpgv2

OS X / macOS

On OS X / macOS, you can choose to install the [GPG Suite](https://gpgtools.org/gpgsuite.html - GnuPG v2 only at the present time) or use the Homebrew or MacPorts package for GnuPG v2 or v2.1:

Homebrew

brew install gnupg2

or

brew install gnupg21

Additionally, you will also need to install gnu-getopt, a command-line option parsing library.

brew install gnu-getopt

Since OS X / macOS already ships with getopt(1), you will need to force-link this keg-only formula:

brew link --force gnu-getopt

You should unlink this formula after using the script to avoid trouble with OS X / macOS.

brew unlink gnu-getopt

MacPorts

port install gnupg2

or

port install gnupg21

As for Homebrew, install the GNU getopt command-line parser:

port install getopt

Enhancements

Both qrencode and paperkey will enhance the output, if installed.

GNU/Linux

sudo apt-get install qrencode paperkey

OS X / macOS

Homebrew

brew install qrencode paperkey

MacPorts

port install qrencode paperkey

Note on Unix

This software was developed on Debian flavored GNU/Linux and uses the Unix philosophy by combining the standard tools like getopt, which, mktemp, grep, awk, mkdir, head, and shred. Mileage may vary for users of Unix derived systems (like *BSD and OS X). Unix users may need to install getopt(1) in order to use this software.

Installation

This software is a self contained bash script. It should, therefore, suffice to copy the script to a global path:

sudo cp gneasy-genkey.sh /usr/local/bin/gneasy-genkey
sudo chmod o=rwx,g=rx,o=rx /usr/local/bin/gneasy-genkey

Usage

This software is designed to automatically implement the procedure outlined in Generating More Secure GPG Keys: A Step-by-Step Guide by Mike English, using the hardening options for GnuPG outlined by OpenPGP Best Practices from the RiseUp Collective and duraconf by ioerror.

Example

Calling

gneasy-genkey "Testy McTesterson <testy@mctesterson.test>"

will perform the tasks outlined above for a user id Testy McTesterson <testy@mctesterson.test>.

By default the exported files are saved in a directory named after the key-id of the generated key, i.e. 0x1234567890ABDCED/

Note that extra UIDs can be added with comma separation:

gneasy-genkey "Testy McTesterson <testy@mctesterson.test>,Test Testerson <test@testerson.tst>,<@testy>"

Photos (which should be JPEG images named with a .jpg or .jpeg filename extension) can be added using the --photo option followed by the image filename, with relative paths being resolved against the current working directory:

gneasy-genkey --photo testy.jpg "Testy McTesterson <testy@mctesterson.test>"

Any number of photos can be added by specifying --photo and a filename multiple times. GnuPG suggests keeping image sizes to around 240x288 pixels and issues a warning and asks for confirmation for files greater than 6KB in size. Note that this script will silently acknowledge these confirmation requests.

Consider adding the show-photos option to the list-options and/or verify-options lines in the gpg.conf configuration file to have GnuPG automatically display available photos when listing and verifying keys respectively.

Help

Usage: gneasy-genkey <uid> [options]
Easy GnuPG key generation tool.

Arguments:
 <uid>  User-id(s) for the generated key. Format is "Name <email>".

Options:
 -S, --size           Size (length) in bits of master key.
                        Range is [1024, 4096]. Default is 4096.
 -L, --lifetime       Lifetime (expiration time) of master key.
                        Format is that of GnuPG: 0 = no expiration,
                        <n> = n days, <n>w = n weeks, <n>m = n months,
                        <n>y = n years. Default is 2y.
 -s, --sub-size       Size of sub-keys in bits.
                        Range and default same as --size.
 -l, --sub-lifetime   Lifetime of sub-keys.
                        Format is same as --lifetime. Default is 1y.

     --no-sign        Do not generate a sub-key for signing.
     --no-encr        Do not generate a sub-key for encryption.
     --no-auth        Do not generate a sub-key for authentication.
     --otr            Generate a 1024-bit DSA sub-key for authentication.
     --policy-url     Set the policy URL (rfc4880:5.2.3.20).

     --out-dir        Directory for export output; created if not present.
                        Default is key-id of the master key.
     --no-export      Do not export keys, revocation or summary.
     --no-revoke      Do not export revocation certificate.
     --no-export-pub  Do not export public key.
     --no-export-sec  Do not export secret keys.
     --no-export-sub  Do not export secret sub-keys.
     --no-paperkey    Do not export secret keys as paperkey.
     --no-info        Do not export key summary information.
     --no-calendar    Do not export iCalendar for key expiration dates.
     --no-qr          Do not export QR-code with uid and fingerprint.
     --no-vcard       Do not export vcard with contact information.
     --keep-master    Keep the master key in the GnuPG keyring.
     --photo          Name of a JPEG image file to be added as a uid

     --gnupg-home     Home directory for GnuPG. Default is '~/.gnupg'.

     --quiet          Disable regular terminal output but show errors.
     --silent         Disable all terminal output.

 -h, --help           Print this help and exit.
 -v, --version        Print version information and exit.
     --version-num    Print version number <major.minor.patch> and exit.
     --copyright      Print copyright & license information and exit.

Debug

Developers might find the following flags useful:

     --debug       Print some debugging messages
     --show-tty    Show the terminal interaction with GnuPG
     --bash-debug  Also echo all bash commands

FYI

GnuPG Flags

The following flags (and options) are automatically passed to gpg2 and cannot be controlled by gneasy-genkey from the command-line (e.g. without editing the script).

In order to properly control GnuPG all calls to gpg2 contain the flags:

--display-charset utf-8
--expert
--no-greeting
--quiet
--no-verbose
--no-tty

In keeping with OpenPGP Best Practices, all calls to gpg2 contain the flags:

--keyid-format 0xlong
--with-fingerprint
--no-emit-version
--personal-cipher-preferences "AES256 AES192 AES CAST5"
--personal-digest-preferences "SHA512 SHA384 SHA256 SHA224"
--default-preference-list "SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed"

The extra flags used for the GnuPG genkey command are:

--s2k-cipher-algo AES256
--s2k-digest-algo SHA512
--s2k-mode 3
--s2k-count 65011712

The extra flags used for symmetrically encrypting sensitive files (like the revocation certificate) are:

--cipher-algo AES256
--digest-algo SHA512

Sensitive temporary files are written to the output directory and shred-ed on exit (when shred/srm are available).

GnuPG "state-machine" command-/status-/output-/attribute-/logger- files are written to /tmp/egk-XXXXXXXXXX/. These files do not contain particularly sensitive information and are deleted (e.g. rm-ed) on exit.

License

gneasy-genkey is software libre; you are free to modify and share this software under the terms of the GNU General Public License, version 3.0

Acknowledgments

The general outline of the tasks performed by this software was inspired by Generating More Secure GPG Keys: A Step-by-Step Guide by Mike English. The flags/options passed to GnuPG are those suggested by OpenPGP Best Practices from the Riseup Collective and duraconf from ioerror.

The crucial part of this script is the "state-machine" that automates interaction with GnuPG. That such interaction was even possible and the initial example of which was found at the GnuPG users mailing list archive #67792.

Small snippets and other inspiration were lifted from the monkeysphere code.

Testy McTesterson photo (file test/testy.jpg) renamed from POV-cat by Pauledork (240x240px version) licensed under CC BY-SA 3.0

Special thanks to:

• ruimarinho for adding OS X functionality;
• codebrewer for a number of nifty add-ons

Contribute!

Please contribute to this project.

You can submit a new issue or help with a current issue.

You can also donate bitcoin: 1ZCTTQPrfeYjUosgD4GUkVA1bdKwiTpwm