**Tip** On Linux or OpenBSD, select the password using the mouse or by double-clicking on it to copy to clipboard. Paste using the middle mouse button or `Shift`-`Insert`.
**Tip** On Linux or OpenBSD, select the password using the mouse or by double-clicking on it to copy to clipboard. Paste using the middle mouse button or `Shift`-`Insert`.
Generate a new key with GPG, selecting `(8) RSA (set your own capabilities)`, `Certify` capability only and `4096` bit key size.
Generate a new key with GPG, selecting `(11) ECC (set your own capabilities)` and `Certify` capability only (or `(8) RSA (set your own capabilities)` and `4096` bit key size).
Do **not** set the master (certify) key to expire - see [Note #3](#notes).
Do **not** set the master (certify) key to expire - see [Note #3](#notes).
@ -602,40 +602,36 @@ Please select what kind of key you want:
(10) ECC (sign only)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(11) ECC (set your own capabilities)
(13) Existing key
(13) Existing key
Your selection? 8
(14) Existing key from card
Your selection? 11
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Possible actions for a ECDSA/EdDSA key: Sign Certify Authenticate
Current allowed actions: Sign Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? E
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify
Current allowed actions: Sign Certify
(S) Toggle the sign capability
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(A) Toggle the authenticate capability
(Q) Finished
(Q) Finished
Your selection? S
Your selection? S
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Possible actions for a ECDSA/EdDSA key: Sign Certify Authenticate
Current allowed actions: Certify
Current allowed actions: Certify
(S) Toggle the sign capability
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(A) Toggle the authenticate capability
(Q) Finished
(Q) Finished
Your selection? Q
Your selection? Q
RSA keys may be between 1024 and 4096 bits long.
Please select which elliptic curve you want:
What keysize do you want? (2048) 4096
(1) Curve 25519
Requested keysize is 4096 bits
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
(9) secp256k1
Your selection? 1
Please specify how long the key should be valid.
Please specify how long the key should be valid.
0 = key does not expire
0 = key does not expire
<n> = key expires in n days
<n> = key expires in n days
@ -671,7 +667,7 @@ gpg: directory '/tmp.FLZC0xcM/openpgp-revocs.d' created
gpg: revocation certificate stored as '/tmp.FLZC0xcM/openpgp-revocs.d/011CE16BD45B27A55BA8776DFF3E7D88647EBCDB.rev'
gpg: revocation certificate stored as '/tmp.FLZC0xcM/openpgp-revocs.d/011CE16BD45B27A55BA8776DFF3E7D88647EBCDB.rev'
Use a 1 year expiration for sub-keys - they can be renewed using the offline master key. See [rotating keys](#rotating-keys).
Use a 1 year expiration for sub-keys - they can be renewed using the offline master key. See [rotating keys](#rotating-keys).
## Signing
## Signing
Create a [signing key](https://stackoverflow.com/questions/5421107/can-rsa-be-both-used-as-encryption-and-signature/5432623#5432623) by selecting `addkey` then `(4) RSA (sign only)`:
Create a signing key by selecting `addkey` then `(10) ECC (sign only)` (or `(4) RSA (sign only)`):
```console
```console
gpg> addkey
gpg> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Dr Duh <doc@duh.to>"
4096-bit RSA key, ID 0xFF3E7D88647EBCDB, created 2016-05-24
Please select what kind of key you want:
Please select what kind of key you want:
(3) DSA (sign only)
(3) DSA (sign only)
(4) RSA (sign only)
(4) RSA (sign only)
@ -736,10 +724,22 @@ Please select what kind of key you want:
(6) RSA (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection? 4
(10) ECC (sign only)
RSA keys may be between 1024 and 4096 bits long.
(11) ECC (set your own capabilities)
What keysize do you want? (2048) 4096
(12) ECC (encrypt only)
Requested keysize is 4096 bits
(13) Existing key
(14) Existing key from card
Your selection? 10
Please select which elliptic curve you want:
(1) Curve 25519
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
(9) secp256k1
Your selection? 1
Please specify how long the key should be valid.
Please specify how long the key should be valid.
0 = key does not expire
0 = key does not expire
<n> = key expires in n days
<n> = key expires in n days
@ -747,7 +747,7 @@ Please specify how long the key should be valid.
<n>m = key expires in n months
<n>m = key expires in n months
<n>y = key expires in n years
<n>y = key expires in n years
Key is valid for? (0) 1y
Key is valid for? (0) 1y
Key expires at Mon 10 Sep 2018 00:00:00 PM UTC
Key expires at Tue 01 Jan 2024 00:00:00 PM UTC
Is this correct? (y/N) y
Is this correct? (y/N) y
Really create? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
We need to generate a lot of random bytes. It is a good idea to perform
@ -755,17 +755,17 @@ some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
generator a better chance to gain enough entropy.
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2023-01-01 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
ssb ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: 2018-10-09 usage: S
created: 2023-01-01 expires: 2024-01-01 usage: S
[ultimate] (1). Dr Duh <doc@duh.to>
[ultimate] (1). Dr Duh <doc@duh.to>
```
```
## Encryption
## Encryption
Next, create an [encryption key](https://www.cs.cornell.edu/courses/cs5430/2015sp/notes/rsa_sign_vs_dec.php) by selecting `(6) RSA (encrypt only)`:
Next, create an encryption key by selecting `(12) ECC (encrypt only)`:
```console
```console
gpg> addkey
gpg> addkey
@ -780,10 +780,18 @@ Please select what kind of key you want:
(11) ECC (set your own capabilities)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(12) ECC (encrypt only)
(13) Existing key
(13) Existing key
Your selection? 6
(14) Existing key from card
RSA keys may be between 1024 and 4096 bits long.
Your selection? 12
What keysize do you want? (2048) 4096
Please select which elliptic curve you want:
Requested keysize is 4096 bits
(1) Curve 25519
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
(9) secp256k1
Your selection? 1
Please specify how long the key should be valid.
Please specify how long the key should be valid.
0 = key does not expire
0 = key does not expire
<n> = key expires in n days
<n> = key expires in n days
@ -791,7 +799,7 @@ Please specify how long the key should be valid.
<n>m = key expires in n months
<n>m = key expires in n months
<n>y = key expires in n years
<n>y = key expires in n years
Key is valid for? (0) 1y
Key is valid for? (0) 1y
Key expires at Mon 10 Sep 2018 00:00:00 PM UTC
Key expires at Tue 01 Jan 2024 00:00:00 PM UTC
Is this correct? (y/N) y
Is this correct? (y/N) y
Really create? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
We need to generate a lot of random bytes. It is a good idea to perform
@ -799,13 +807,13 @@ some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
generator a better chance to gain enough entropy.
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2023-01-01 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
ssb ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: 2018-10-09 usage: S
created: 2023-01-01 expires: 2024-01-01 usage: S
ssb rsa4096/0x5912A795E90DD2CF
ssb cv25519/0x5912A795E90DD2CF
created: 2017-10-09 expires: 2018-10-09 usage: E
created: 2023-01-01 expires: 2024-01-01 usage: E
[ultimate] (1). Dr Duh <doc@duh.to>
[ultimate] (1). Dr Duh <doc@duh.to>
```
```
@ -813,7 +821,7 @@ ssb rsa4096/0x5912A795E90DD2CF
Finally, create an [authentication key](https://superuser.com/questions/390265/what-is-a-gpg-with-authenticate-capability-used-for).
Finally, create an [authentication key](https://superuser.com/questions/390265/what-is-a-gpg-with-authenticate-capability-used-for).
GPG doesn't provide an authenticate-only key type, so select `(8) RSA (set your own capabilities)` and toggle the required capabilities until the only allowed action is `Authenticate`:
GPG doesn't provide an authenticate-only key type, so select `(11) ECC (set your own capabilities)` (or `(8) RSA (set your own capabilities)`) and toggle the required capabilities until the only allowed action is `Authenticate`:
```console
```console
gpg> addkey
gpg> addkey
@ -828,50 +836,45 @@ Please select what kind of key you want:
(11) ECC (set your own capabilities)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(12) ECC (encrypt only)
(13) Existing key
(13) Existing key
Your selection? 8
(14) Existing key from card
Your selection? 11
Possible actions for a RSA key: Sign Encrypt Authenticate
Possible actions for a ECDSA/EdDSA key: Sign Authenticate
Current allowed actions: Sign Encrypt
Current allowed actions: Sign
(S) Toggle the sign capability
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(A) Toggle the authenticate capability
(Q) Finished
(Q) Finished
Your selection? S
Your selection? S
Possible actions for a RSA key: Sign Encrypt Authenticate
Possible actions for a ECDSA/EdDSA key: Sign Authenticate
Current allowed actions: Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? E
Possible actions for a RSA key: Sign Encrypt Authenticate
Current allowed actions:
Current allowed actions:
(S) Toggle the sign capability
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(A) Toggle the authenticate capability
(Q) Finished
(Q) Finished
Your selection? A
Your selection? A
Possible actions for a RSA key: Sign Encrypt Authenticate
Possible actions for a ECDSA/EdDSA key: Sign Authenticate
Current allowed actions: Authenticate
Current allowed actions: Authenticate
(S) Toggle the sign capability
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(A) Toggle the authenticate capability
(Q) Finished
(Q) Finished
Your selection? Q
Your selection? Q
RSA keys may be between 1024 and 4096 bits long.
Please select which elliptic curve you want:
What keysize do you want? (2048) 4096
(1) Curve 25519
Requested keysize is 4096 bits
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
(9) secp256k1
Your selection? 1
Please specify how long the key should be valid.
Please specify how long the key should be valid.
0 = key does not expire
0 = key does not expire
<n> = key expires in n days
<n> = key expires in n days
@ -879,7 +882,7 @@ Please specify how long the key should be valid.
<n>m = key expires in n months
<n>m = key expires in n months
<n>y = key expires in n years
<n>y = key expires in n years
Key is valid for? (0) 1y
Key is valid for? (0) 1y
Key expires at Mon 10 Sep 2018 00:00:00 PM UTC
Key expires at Tue 01 Jan 2024 00:00:00 PM UTC
Is this correct? (y/N) y
Is this correct? (y/N) y
Really create? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
We need to generate a lot of random bytes. It is a good idea to perform
@ -887,15 +890,15 @@ some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
generator a better chance to gain enough entropy.
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2023-01-01 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
ssb ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: 2018-10-09 usage: S
created: 2023-01-01 expires: 2024-01-01 usage: S
ssb rsa4096/0x5912A795E90DD2CF
ssb cv25519/0x5912A795E90DD2CF
created: 2017-10-09 expires: 2018-10-09 usage: E
created: 2023-01-01 expires: 2024-01-01 usage: E
ssb rsa4096/0x3F29127E79649A3D
ssb ed25519/0x3F29127E79649A3D
created: 2017-10-09 expires: 2018-10-09 usage: A
created: 2023-01-01 expires: 2024-01-01 usage: A
[ultimate] (1). Dr Duh <doc@duh.to>
[ultimate] (1). Dr Duh <doc@duh.to>
```
```
@ -923,28 +926,28 @@ Comment:
You selected this USER-ID:
You selected this USER-ID:
"Dr Duh <DrDuh@other.org>"
"Dr Duh <DrDuh@other.org>"
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2023-01-01 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
ssb ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: never usage: S
created: 2023-01-01 expires: 2024-01-01 usage: S
ssb rsa4096/0x5912A795E90DD2CF
ssb cv25519/0x5912A795E90DD2CF
created: 2017-10-09 expires: never usage: E
created: 2023-01-01 expires: 2024-01-01 usage: E
ssb rsa4096/0x3F29127E79649A3D
ssb ed25519/0x3F29127E79649A3D
created: 2017-10-09 expires: never usage: A
created: 2023-01-01 expires: 2024-01-01 usage: A
[ultimate] (1). Dr Duh <doc@duh.to>
[ultimate] (1). Dr Duh <doc@duh.to>
[ unknown] (2). Dr Duh <DrDuh@other.org>
[ unknown] (2). Dr Duh <DrDuh@other.org>
gpg> trust
gpg> trust
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2023-01-01 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
ssb ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: never usage: S
created: 2023-01-01 expires: 2024-01-01 usage: S
ssb rsa4096/0x5912A795E90DD2CF
ssb cv25519/0x5912A795E90DD2CF
created: 2017-10-09 expires: never usage: E
created: 2023-01-01 expires: 2024-01-01 usage: E
ssb rsa4096/0x3F29127E79649A3D
ssb ed25519/0x3F29127E79649A3D
created: 2017-10-09 expires: never usage: A
created: 2023-01-01 expires: 2024-01-01 usage: A
[ultimate] (1). Dr Duh <doc@duh.to>
[ultimate] (1). Dr Duh <doc@duh.to>
[ unknown] (2). Dr Duh <DrDuh@other.org>
[ unknown] (2). Dr Duh <DrDuh@other.org>
@ -961,43 +964,43 @@ Please decide how far you trust this user to correctly verify other users' keys
Your decision? 5
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
Do you really want to set this key to ultimate trust? (y/N) y
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2023-01-01 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
ssb ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: never usage: S
created: 2023-01-01 expires: 2024-01-01 usage: S
ssb rsa4096/0x5912A795E90DD2CF
ssb cv25519/0x5912A795E90DD2CF
created: 2017-10-09 expires: never usage: E
created: 2023-01-01 expires: 2024-01-01 usage: E
ssb rsa4096/0x3F29127E79649A3D
ssb ed25519/0x3F29127E79649A3D
created: 2017-10-09 expires: never usage: A
created: 2023-01-01 expires: 2024-01-01 usage: A
[ultimate] (1). Dr Duh <doc@duh.to>
[ultimate] (1). Dr Duh <doc@duh.to>
[ unknown] (2). Dr Duh <DrDuh@other.org>
[ unknown] (2). Dr Duh <DrDuh@other.org>
gpg> uid 1
gpg> uid 1
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2023-01-01 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
ssb ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: never usage: S
created: 2023-01-01 expires: 2024-01-01 usage: S
ssb rsa4096/0x5912A795E90DD2CF
ssb cv25519/0x5912A795E90DD2CF
created: 2017-10-09 expires: never usage: E
created: 2023-01-01 expires: 2024-01-01 usage: E
ssb rsa4096/0x3F29127E79649A3D
ssb ed25519/0x3F29127E79649A3D
created: 2017-10-09 expires: never usage: A
created: 2023-01-01 expires: 2024-01-01 usage: A
[ultimate] (1)* Dr Duh <doc@duh.to>
[ultimate] (1)* Dr Duh <doc@duh.to>
[ unknown] (2). Dr Duh <DrDuh@other.org>
[ unknown] (2). Dr Duh <DrDuh@other.org>
gpg> primary
gpg> primary
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2023-01-01 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
ssb ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: never usage: S
created: 2023-01-01 expires: 2024-01-01 usage: S
ssb rsa4096/0x5912A795E90DD2CF
ssb cv25519/0x5912A795E90DD2CF
created: 2017-10-09 expires: never usage: E
created: 2023-01-01 expires: 2024-01-01 usage: E
ssb rsa4096/0x3F29127E79649A3D
ssb ed25519/0x3F29127E79649A3D
created: 2017-10-09 expires: never usage: A
created: 2023-01-01 expires: 2024-01-01 usage: A
[ultimate] (1)* Dr Duh <doc@duh.to>
[ultimate] (1)* Dr Duh <doc@duh.to>
[ unknown] (2) Dr Duh <DrDuh@other.org>
[ unknown] (2) Dr Duh <DrDuh@other.org>
@ -1014,12 +1017,12 @@ List the generated secret keys and verify the output:
The card will now be re-configured to generate a key of type: ed25519
```
# Transfer keys
# Transfer keys
**Important** Transferring keys to YubiKey using `keytocard` is a destructive, one-way operation only. Make sure you've made a backup before proceeding: `keytocard` converts the local, on-disk key into a stub, which means the on-disk copy is no longer usable to transfer to subsequent security key devices or mint additional keys.
**Important** Transferring keys to YubiKey using `keytocard` is a destructive, one-way operation only. Make sure you've made a backup before proceeding: `keytocard` converts the local, on-disk key into a stub, which means the on-disk copy is no longer usable to transfer to subsequent security key devices or mint additional keys.
@ -1519,15 +1561,15 @@ $ gpg --edit-key $KEYID
Secret key is available.
Secret key is available.
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2023-01-01 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
ssb ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: 2018-10-09 usage: S
created: 2023-01-01 expires: 2024-01-01 usage: S
ssb rsa4096/0x5912A795E90DD2CF
ssb cv25519/0x5912A795E90DD2CF
created: 2017-10-09 expires: 2018-10-09 usage: E
created: 2023-01-01 expires: 2024-01-01 usage: E
ssb rsa4096/0x3F29127E79649A3D
ssb ed25519/0x3F29127E79649A3D
created: 2017-10-09 expires: 2018-10-09 usage: A
created: 2023-01-01 expires: 2024-01-01 usage: A
[ultimate] (1). Dr Duh <doc@duh.to>
[ultimate] (1). Dr Duh <doc@duh.to>
```
```
@ -1540,15 +1582,15 @@ Select and transfer the signature key.
```console
```console
gpg> key 1
gpg> key 1
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2023-01-01 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb* rsa4096/0xBECFA3C1AE191D15
ssb* ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: 2018-10-09 usage: S
created: 2023-01-01 expires: 2024-01-01 usage: S
ssb rsa4096/0x5912A795E90DD2CF
ssb cv25519/0x5912A795E90DD2CF
created: 2017-10-09 expires: 2018-10-09 usage: E
created: 2023-01-01 expires: 2024-01-01 usage: E
ssb rsa4096/0x3F29127E79649A3D
ssb ed25519/0x3F29127E79649A3D
created: 2017-10-09 expires: 2018-10-09 usage: A
created: 2023-01-01 expires: 2024-01-01 usage: A
[ultimate] (1). Dr Duh <doc@duh.to>
[ultimate] (1). Dr Duh <doc@duh.to>
gpg> keytocard
gpg> keytocard
@ -1571,15 +1613,15 @@ gpg> key 1
gpg> key 2
gpg> key 2
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2023-01-01 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
ssb ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: 2018-10-09 usage: S
created: 2023-01-01 expires: 2024-01-01 usage: S
ssb* rsa4096/0x5912A795E90DD2CF
ssb* cv25519/0x5912A795E90DD2CF
created: 2017-10-09 expires: 2018-10-09 usage: E
created: 2023-01-01 expires: 2024-01-01 usage: E
ssb rsa4096/0x3F29127E79649A3D
ssb ed25519/0x3F29127E79649A3D
created: 2017-10-09 expires: 2018-10-09 usage: A
created: 2023-01-01 expires: 2024-01-01 usage: A
[ultimate] (1). Dr Duh <doc@duh.to>
[ultimate] (1). Dr Duh <doc@duh.to>
gpg> keytocard
gpg> keytocard
@ -1599,15 +1641,15 @@ gpg> key 2
gpg> key 3
gpg> key 3
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2023-01-01 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
ssb ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: 2018-10-09 usage: S
created: 2023-01-01 expires: 2024-01-01 usage: S
ssb rsa4096/0x5912A795E90DD2CF
ssb cv25519/0x5912A795E90DD2CF
created: 2017-10-09 expires: 2018-10-09 usage: E
created: 2023-01-01 expires: 2024-01-01 usage: E
ssb* rsa4096/0x3F29127E79649A3D
ssb* ed25519/0x3F29127E79649A3D
created: 2017-10-09 expires: 2018-10-09 usage: A
created: 2023-01-01 expires: 2024-01-01 usage: A
[ultimate] (1). Dr Duh <doc@duh.to>
[ultimate] (1). Dr Duh <doc@duh.to>
gpg> keytocard
gpg> keytocard
@ -1630,12 +1672,12 @@ Verify the sub-keys have been moved to YubiKey as indicated by `ssb>`:
gpg: encrypted with RSA key, ID 0x0000000000000000
gpg: encrypted with ECDH key, ID 0x0000000000000000
document.pdf.1580000000.enc -> document.pdf
document.pdf.1580000000.enc -> document.pdf
```
```
@ -1954,14 +2004,14 @@ $ gpg --edit-key $KEYID
Secret key is available.
Secret key is available.
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2017-10-09 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb rsa4096/0xBECFA3C1AE191D15
ssb ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: 2018-10-09 usage: S
created: 2017-10-09 expires: 2018-10-09 usage: S
ssb rsa4096/0x5912A795E90DD2CF
ssb cv25519/0x5912A795E90DD2CF
created: 2017-10-09 expires: 2018-10-09 usage: E
created: 2017-10-09 expires: 2018-10-09 usage: E
ssb rsa4096/0x3F29127E79649A3D
ssb ed25519/0x3F29127E79649A3D
created: 2017-10-09 expires: 2018-10-09 usage: A
created: 2017-10-09 expires: 2018-10-09 usage: A
[ultimate] (1). Dr Duh <doc@duh.to>
[ultimate] (1). Dr Duh <doc@duh.to>
@ -1969,14 +2019,14 @@ gpg> key 1
Secret key is available.
Secret key is available.
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2017-10-09 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb* rsa4096/0xBECFA3C1AE191D15
ssb* ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: 2018-10-09 usage: S
created: 2017-10-09 expires: 2018-10-09 usage: S
ssb rsa4096/0x5912A795E90DD2CF
ssb cv25519/0x5912A795E90DD2CF
created: 2017-10-09 expires: 2018-10-09 usage: E
created: 2017-10-09 expires: 2018-10-09 usage: E
ssb rsa4096/0x3F29127E79649A3D
ssb ed25519/0x3F29127E79649A3D
created: 2017-10-09 expires: 2018-10-09 usage: A
created: 2017-10-09 expires: 2018-10-09 usage: A
[ultimate] (1). Dr Duh <doc@duh.to>
[ultimate] (1). Dr Duh <doc@duh.to>
@ -1984,14 +2034,14 @@ gpg> key 2
Secret key is available.
Secret key is available.
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2017-10-09 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb* rsa4096/0xBECFA3C1AE191D15
ssb* ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: 2018-10-09 usage: S
created: 2017-10-09 expires: 2018-10-09 usage: S
ssb* rsa4096/0x5912A795E90DD2CF
ssb* cv25519/0x5912A795E90DD2CF
created: 2017-10-09 expires: 2018-10-09 usage: E
created: 2017-10-09 expires: 2018-10-09 usage: E
ssb rsa4096/0x3F29127E79649A3D
ssb ed25519/0x3F29127E79649A3D
created: 2017-10-09 expires: 2018-10-09 usage: A
created: 2017-10-09 expires: 2018-10-09 usage: A
[ultimate] (1). Dr Duh <doc@duh.to>
[ultimate] (1). Dr Duh <doc@duh.to>
@ -1999,14 +2049,14 @@ gpg> key 3
Secret key is available.
Secret key is available.
sec rsa4096/0xFF3E7D88647EBCDB
sec ed25519/0xFF3E7D88647EBCDB
created: 2017-10-09 expires: never usage: C
created: 2017-10-09 expires: never usage: C
trust: ultimate validity: ultimate
trust: ultimate validity: ultimate
ssb* rsa4096/0xBECFA3C1AE191D15
ssb* ed25519/0xBECFA3C1AE191D15
created: 2017-10-09 expires: 2018-10-09 usage: S
created: 2017-10-09 expires: 2018-10-09 usage: S
ssb* rsa4096/0x5912A795E90DD2CF
ssb* cv25519/0x5912A795E90DD2CF
created: 2017-10-09 expires: 2018-10-09 usage: E
created: 2017-10-09 expires: 2018-10-09 usage: E
ssb* rsa4096/0x3F29127E79649A3D
ssb* ed25519/0x3F29127E79649A3D
created: 2017-10-09 expires: 2018-10-09 usage: A
created: 2017-10-09 expires: 2018-10-09 usage: A
[ultimate] (1). Dr Duh <doc@duh.to>
[ultimate] (1). Dr Duh <doc@duh.to>
```
```
@ -2042,7 +2092,7 @@ This will extend the validity of your GPG key and will allow you to use it for S
## Rotating keys
## Rotating keys
Rotating keys is more a bit more involved. First, follow the original steps to generate each sub-key. Previous sub-keys may be kept or deleted from the identity.
Rotating keys is involing a bit more work. First, follow the original steps to generate each sub-key. Previous sub-keys may be kept or deleted from the identity.
Keys can also be generated using template files and the `batch` parameter - see [GnuPG documentation](https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html).
Keys can also be generated using template files and the `batch` parameter - see [GnuPG documentation](https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html).
Start from the [gen-params-rsa4096](contrib/gen-params-rsa4096) template. If you're using GnuPG v2.1.7 or newer, you can also use the ([gen-params-ed25519](contrib/gen-params-ed25519) template. These templates will not set the master key to expire - see [Note #3](#notes).
Start from the [gen-params-ed25519](contrib/gen-params-ed25519) template. If you're using GnuPG v2.1.7 or newer, you can also use the ([gen-params-rsa4096](contrib/gen-params-rsa4096) template. These templates will not set the master key to expire - see [Note #3](#notes).
Generate master key:
Generate master key:
```console
```console
$ gpg --batch --generate-key gen-params-rsa4096
$ gpg --batch --generate-key gen-params-ed25519
gpg: Generating a basic OpenPGP key
gpg: Generating a basic OpenPGP key
gpg: key 0xEA5DE91459B80592 marked as ultimately trusted
gpg: key 0xEA5DE91459B80592 marked as ultimately trusted
gpg: revocation certificate stored as '/tmp.FLZC0xcM/openpgp-revocs.d/D6F924841F78D62C65ABB9588B461860159FFB7B.rev'
gpg: revocation certificate stored as '/tmp.FLZC0xcM/openpgp-revocs.d/D6F924841F78D62C65ABB9588B461860159FFB7B.rev'