I worked on creating the whiptail and corresponding gpg scripts for 4 options for primary and/or secondary/subkey generation.
1) A “Quick” Generate Primary and Secondary Key task that only asks the user for the UID and password and creates an rsa4096 primary key, an rsa2048 secondary key and an rsa2048 laptop signing subkey.
2) A “Custom” Generate Primary and Secondary Key task that gives the user more flexibility in algo, usage and expiry, but still adheres to PGP best practices. For the primary key, the user chooses between rsa4096 key or an ECC curve, sign/cert or cert only for usage, and the expiry. For the secondary encryption key, the user also chooses between RSA and ECC, but can choose a key length between 2048 and 4096, and the expiry.
3) Generate Primary Key Only: Same as the primary key generation for #2
4) Generate a Custom Subkey: The user gets to choose between rsa<2048-4096>, dsa<2048-3072>, elg<2048-4096>, and an ECC curve, and choose the usage and expiry. The tricky part was making sure that the usage matched the algorithm. For example, DSA is only capable of sign and auth, while RSA can do sign, auth, and encrypt. ECC curves are capable of all usages, however, encrypt cannot overlap with sign/auth for any curve, even though the name of the curve is the same. So I used radio and checkboxes to make it as easy as possible for the user.
These options follow the best practices outlined at riseup and Debian Wiki pages, such as:
The primary key should use a strong algorithm and should only have the usages cert and/or sign.
Subkeys can be 2048-4096 bits, preferably RSA, DSA-2 or ECC.
UID shouldn’t ask for a comment
DSA-1024 is deprecated so I restricted DSA to a minimum of 2048.