Generate Gpg Key Without Passphrase

Posted on  by 

Originally I had a couple extra steps to use rng-tools to seed entropy from /dev/urandom. Apparently this is a bad idea because it will just feed bytes regardless of whether there's enough entropy. I'm not able to generate GPG keys in linux sudo gpg -gen-key # This is the command to try to generate key error You need a Passphrase to protect your secret key. If you are on version 2.1.17 or greater, paste the text below to generate a GPG key pair. $ gpg -full-generate-key; If you are not on version 2.1.17 or greater, the gpg -full-generate-key command doesn't work. Paste the text below and skip to step 6. $ gpg -default-new-key-algo rsa4096 -gen-key.

This tutorial series will teach you how to use GPG in Linux terminal. I will not tell you a bunch of theory to overwhelm you. Instead, I show you quick and dirty examples to get you started, and explain the basic theory along the way.

This is part 1 of this series. At the end of this post, you should be able to generate your own public/private keypair and a revocation certificate. This certificate is used to revoke your public/private keypair when your private key is compromised or you forget the passphrase for your private key.

GPG can be used for encryption and for signing. This software is pre-installed on most Linux distributions. Currently the stable version is GPG 2.0. I’m using the modern version GPG 2.2 on Arch Linux.

Check Your GPG Version

First Let’s check out the version of GPG on your system and some interesting tidbits. Run the following command.


As you can see, I’m using GPG 2.2.8, which is the latest version. We also know that the configuration directory is ~/.gnupg, which will hold our public/private key files. The default option file is ~/.gnupg/gpg.conf and ~/.gnupg/dirmngr.conf. It also tells us what algorithms are supported.

If you look closely, you can see that the insecure hash algorithm SHA1 is still supported in version 2.2.8 SHA1 is obsolete and you don’t want to use it to generate signature.

Create Your Public/Private Key Pair and Revocation Certificate

Use gpg --full-gen-key command to generate your key pair.

It asks you what kind of key you want. Notice there’re four options. The default is to create a RSA public/private key pair and also a RSA signing key. Let’s hit Enter to select the default.

Next it asks you the key length. The default is 2048 bits long. 1024 RSA key is obsolete. The longer 4096 RSA key will not provide more security than 2048 RSA key. So hit Enter to select the default.

After that it asks you how long the key should be valid, 2 years is fine. You can always update the expiration time later on.

Now it asks you if it’s correct. Notice that the default is No. So press y then Enter to confirm it’s correct.

And now we need to provide some user identification information for the key. This is important because this information will be included in our key. It’s one way of indicating who is owner of this key. The email address is a unique identifier for a person. You can leave Comment blank.

Select Okay.

Now it asks you to enter a passphrase to protect your private key. Enter a good and long passphrase and remember it. Because if you forget this passphrase, you won’t be able to unlock you private key.

Once you enter and confirm your passphrase. GPG will generate your keys.

It will take a while for GPG to generate your keys. So you can now do other stuff.

It took about 4 minutes on my system to generate my key pair.

This first line tells us that GPG created a unique identifier for public key. This unique identifier is in hex format. When someone wants to download you public key, they can refer to you public key via your email address or this hex value.

The third line tells us that GPG created a revocation certificate and its directory.Your should never share you private key with anyone.If you private key is compromised, you can use revocateion certificate to revoke your key. That means you tell the rest of the world that the old public key shall not be used any more.I suggest that you open this revocation certificate with your text editor to see what’s inside there.

Let’s look at the last three lines. They tell us the public key is 2048 bits using RSA algorithm. The public key ID 4F0BDACC matchs the last 8 bits of key fingerprint. The key fingerprint is a hash of your public key.

It also lists our user ID information: your name and your email address. And it also indicates the subkey which is 2048 bits using RSA algorithm and the unique identifier of the subkey.

Now you can find that there are two files created under ~/.gnupg/private-keys-v1.d/ directory. These two files are binary files with .key extension.

Export Your Public Key

Others need your public key to send encrypted message to you and only your private key can decrypt it. Use the following command to export your public key. --armor option means that the output is ASCII armored. The default is to create the binary OpenPGP format. user-id is your email address.

The exported public key is written to pubkey.asc file.

Export Your Private Key

Issue the following command to export your private key.

The exported key is written to privkey.asc file.

Protect Your Private Key and Revocation Certificate

Your private key should be kept in a safe place, like an encrypted flash drive. Treat it like your house key. Only you can have it and don’t lose it. And you must remember your passphrase, otherwise you can’t unlock your private key.

You should also protect your revocation certificate. If others have your revocation certificate, they can immediately revoke your public/private keypair and generate a fake public/priavte keypair.

In part 2 we will look at how to encrypt message with your public key and how to decrypt it with your private key. Take care!

[Total: 6 Average: 4.7]

Previous: The quick key manipulation interface, Up: Unattended Usage of GPG [Contents][Index]

4.5.4 Unattended key generation

The command --generate-key may be used along with the option--batch for unattended key generation. This is the mostflexible way of generating keys, but it is also the most complex one.Consider using the quick key manipulation interface described in theprevious subsection “The quick key manipulation interface”.

The parameters for the key are either read from stdin or given as afile on the command line. The format of the parameter file is asfollows:

  • Text only, line length is limited to about 1000 characters.
  • UTF-8 encoding must be used to specify non-ASCII characters.
  • Empty lines are ignored.
  • Leading and trailing white space is ignored.
  • A hash sign as the first non white space character indicates a comment line.
  • Control statements are indicated by a leading percent sign, the arguments are separated by white space from the keyword.
  • Parameters are specified by a keyword, followed by a colon. Arguments are separated by white space.
  • The first parameter must be ‘Key-Type’; control statements may be placed anywhere.
  • The order of the parameters does not matter except for ‘Key-Type’ which must be the first parameter. The parameters are only used for the generated keyblock (primary and subkeys); parameters from previous sets are not used. Some syntactically checks may be performed.
  • Key generation takes place when either the end of the parameter file is reached, the next ‘Key-Type’ parameter is encountered or at the control statement ‘%commit’ is encountered.

Control statements:

%echo text

Print text as diagnostic. /color-code-on-key-switch-for-generator-parsun.html.

%dry-run

Suppress actual key generation (useful for syntax checking).

%commit

Perform the key generation. Note that an implicit commit is done atthe next Key-Type parameter.

%pubring filename

Do not write the key to the default or commandline given keyring butto filename. This must be given before the first commit to takeplace, duplicate specification of the same filename is ignored, thelast filename before a commit is used. The filename is used until anew filename is used (at commit points) and all keys are written tothat file. If a new filename is given, this file is created (andoverwrites an existing one).

See the previous subsection “Ephemeral home directories” for a morerobust way to contain side-effects.

%secring filename

This option is a no-op for GnuPG 2.1 and later.

See the previous subsection “Ephemeral home directories”.

%ask-passphrase
%no-ask-passphrase

This option is a no-op for GnuPG 2.1 and later.

%no-protection

Using this option allows the creation of keys without any passphraseprotection. This option is mainly intended for regression tests.

%transient-key

If given the keys are created using a faster and a somewhat lesssecure random number generator. This option may be used for keyswhich are only used for a short time and do not require fullcryptographic strength. /letitbit-premium-key-generator-2015.html. It takes only effect if used together withthe control statement ‘%no-protection’.

General Parameters:

Key-Type: algo

Starts a new parameter block by giving the type of the primarykey. The algorithm must be capable of signing. This is a requiredparameter. algo may either be an OpenPGP algorithm number or astring with the algorithm name. The special value ‘default’ maybe used for algo to create the default key type; in this case a‘Key-Usage’ shall not be given and ‘default’ also be usedfor ‘Subkey-Type’.

Key-Length: nbits

The requested length of the generated key in bits. The default isreturned by running the command ‘gpg --gpgconf-list’.

Key-Grip: hexstring

This is optional and used to generate a CSR or certificate for analready existing key. Key-Length will be ignored when given.

Key-Usage: usage-list

Space or comma delimited list of key usages. Allowed values are‘encrypt’, ‘sign’, and ‘auth’. This is used togenerate the key flags. Please make sure that the algorithm iscapable of this usage. Note that OpenPGP requires that all primarykeys are capable of certification, so no matter what usage is givenhere, the ‘cert’ flag will be on. If no ‘Key-Usage’ isspecified and the ‘Key-Type’ is not ‘default’, all allowedusages for that particular algorithm are used; if it is not given but‘default’ is used the usage will be ‘sign’.

Subkey-Type: algo

Generate Gpg Key Without Passphrase Password

This generates a secondary key (subkey). Currently only one subkeycan be handled. See also ‘Key-Type’ above.

Subkey-Length: nbits

Length of the secondary key (subkey) in bits. The default is returnedby running the command ‘gpg --gpgconf-list’.

Subkey-Usage: usage-list

Key usage lists for a subkey; similar to ‘Key-Usage’.

Generate
Passphrase: string

If you want to specify a passphrase for the secret key, enter it here.Default is to use the Pinentry dialog to ask for a passphrase.

Name-Real: name
Name-Comment: comment
Name-Email: email

The three parts of a user name. Remember to use UTF-8 encoding here.If you don’t give any of them, no user ID is created.

Expire-Date: iso-date (number[d w m y])

Set the expiration date for the key (and the subkey). It may eitherbe entered in ISO date format (e.g. '20000815T145012') or as number ofdays, weeks, month or years after the creation date. The specialnotation 'seconds=N' is also allowed to specify a number of secondssince creation. Without a letter days are assumed. Note that thereis no check done on the overflow of the type used by OpenPGP fortimestamps. Thus you better make sure that the given value makesense. Although OpenPGP works with time intervals, GnuPG uses anabsolute value internally and thus the last year we can represent is2105.

Creation-Date: iso-date

Set the creation date of the key as stored in the key information andwhich is also part of the fingerprint calculation. Either a date like'1986-04-26' or a full timestamp like '19860426T042640' may be used.The time is considered to be UTC. The special notation 'seconds=N'may be used to directly specify a the number of seconds since Epoch(Unix time). If it is not given the current time is used.

Preferences: string

Set the cipher, hash, and compression preference values for this key.This expects the same type of string as the sub-command ‘setpref’in the --edit-key menu.

Revoker: algo:fpr [sensitive]

Add a designated revoker to the generated key. Algo is the public keyalgorithm of the designated revoker (i.e. RSA=1, DSA=17, etc.)fpr is the fingerprint of the designated revoker. The optional‘sensitive’ flag marks the designated revoker as sensitiveinformation. Only v4 keys may be designated revokers.

Generate Gpg Key Without Passphrase Download

Generate Gpg Key Without Passphrase

Generate Gpg Key Without Passphrase Download

Keyserver: string

This is an optional parameter that specifies the preferred keyserverURL for the key.

Handle: string

This is an optional parameter only used with the status linesKEY_CREATED and KEY_NOT_CREATED. string may be up to 100characters and should not contain spaces. It is useful for batch keygeneration to associate a key parameter block with a status line.

Here is an example on how to create a key in an ephemeral home directory:

What Is A Gpg Key

If you want to create a key with the default algorithms you would usethese parameters:

Gpg Decrypt Without Passphrase

Previous: The quick key manipulation interface, Up: Unattended Usage of GPG [Contents][Index]

Coments are closed
Macos Generate Ssh Key PubGenerate Activation Key From Hardware Id Online
Scroll to top