I’m interning for the PGP Clean Room Project, which aims to code best practices for using GnuPG into the workflow in order to make it easier for users to create and manage their keys. The live disc already contains code for partitioning and mounting the sd cards, and setting up a sample gpg.conf. For my first task, I decided to start building a basic TUI to gather the user’s info and preferences for the primary and secondary encryption keys, as well as for additional subkeys and uids, and then create the keys based on the user’s input. See the code on github.
I also explored different ways to run the gpg2 commands non-interactively. One option is Unattended Key Generation using the –batch option, however that doesn’t allow for multiple subkeys or setting a different expiration date for the subkey than for the primary key.
gpg2 --gen-key --batch gen-key-script
gpg2 --expert --full-gen-key --batch gen-key-script
The –command-fd and –command-file options also allow you to bypass the interactive prompt:
echo "uid 1\nprimary\nsave\n" | gpg2 --command-fd 0 --status-fd 2 --edit-key 'Joe Tester'
Newer versions of gpg2 simplify the creation of primary/subkeys and editing of keys with one liners such as:
gpg2 --quick-gen-key 'User Name <email@example.com>' rsa4096 sign 3y
gpg2 --quick-addkey <fingerprint> rsa2048 encrypt 1y
gpg2 --quick-adduid <fingerprint> <primary-uid> <new-uid>
Aside from making life easier for command line users, gpg 2.1.x also supports ECC keys and creates a revocation certificates by default.