GPG
Configuration
See short key id when listing keys:
echo "keyid-format short" >> ~/.gnupg/gpg.conf
Generation
Generate a main key to sign and to certificate and a subkey to encrypt:
gpg --full-generate-key
gpg (GnuPG) 2.5.18; Copyright (C) 2025 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(14) Existing key from card
(16) ECC and Kyber
Your selection?
Please select which elliptic curve you want:
(1) Curve 25519 *default*
(4) NIST P-384
(6) Brainpool P-256
Your selection?
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: John Doe
Email address: john@doe.net
Comment:
You selected this USER-ID:
"John Doe <john@doe.net>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/home/jdoe/.gnupg/openpgp-revocs.d/4960E99609DA1753CC6798800DB4D7504AFFB5E4.rev'
public and secret key created and signed.
pub ed25519/4AFFB5E4 2026-03-25 [SC]
4960E99609DA1753CC6798800DB4D7504AFFB5E4
uid John Doe <john@doe.net>
sub cv25519/D76499B8 2026-03-25 [E]
58C2231CAEAF923DB403051E3CFD617FD76499B8
Edit key to add a signing subkey:
gpg --edit-key 4AFFB5E4
gpg (GnuPG) 2.5.18; Copyright (C) 2025 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec ed25519/4AFFB5E4
created: 2026-03-25 expires: never usage: SC
trust: ultimate validity: ultimate
ssb cv25519/D76499B8
created: 2026-03-25 expires: never usage: E
[ultimate] (1). John Doe <john@doe.net>
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(10) ECC (sign only)
(12) ECC (encrypt only)
(14) Existing key from card
(17) Kyber (encrypt only)
Your selection? 10
Please select which elliptic curve you want:
(1) Curve 25519 *default*
(4) NIST P-384
(6) Brainpool P-256
Your selection?
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec ed25519/4AFFB5E4
created: 2026-03-25 expires: never usage: SC
trust: ultimate validity: ultimate
ssb cv25519/D76499B8
created: 2026-03-25 expires: never usage: E
ssb ed25519/2AAA329B
created: 2026-03-25 expires: never usage: S
[ultimate] (1). John Doe <john@doe.net>
gpg> quit
Save changes? (y/N) y
Edit key to add a supplementary identity and trust it:
gpg --edit-key 4AFFB5E4
gpg (GnuPG) 2.5.18; Copyright (C) 2025 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
sec ed25519/4AFFB5E4
created: 2026-03-25 expires: never usage: SC
trust: ultimate validity: ultimate
ssb cv25519/D76499B8
created: 2026-03-25 expires: never usage: E
ssb ed25519/2AAA329B
created: 2026-03-25 expires: never usage: S
[ultimate] (1). John Doe <john@doe.net>
gpg> adduid
Real name: John Doe
Email address: john@doe.org
Comment:
You selected this USER-ID:
"John Doe <john@doe.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
sec ed25519/4AFFB5E4
created: 2026-03-25 expires: never usage: SC
trust: ultimate validity: ultimate
ssb cv25519/D76499B8
created: 2026-03-25 expires: never usage: E
ssb ed25519/2AAA329B
created: 2026-03-25 expires: never usage: S
[ultimate] (1) John Doe <john@doe.net>
[ unknown] (2). John Doe <john@doe.org>
gpg> uid 2
sec ed25519/4AFFB5E4
created: 2026-03-25 expires: never usage: SC
trust: ultimate validity: ultimate
ssb cv25519/D76499B8
created: 2026-03-25 expires: never usage: E
ssb ed25519/2AAA329B
created: 2026-03-25 expires: never usage: S
[ultimate] (1) John Doe <john@doe.net>
[ unknown] (2)* John Doe <john@doe.org>
gpg> trust
sec ed25519/4AFFB5E4
created: 2026-03-25 expires: never usage: SC
trust: ultimate validity: ultimate
ssb cv25519/D76499B8
created: 2026-03-25 expires: never usage: E
ssb ed25519/2AAA329B
created: 2026-03-25 expires: never usage: S
[ultimate] (1) John Doe <john@doe.net>
[ unknown] (2)* John Doe <john@doe.org>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
sec ed25519/4AFFB5E4
created: 2026-03-25 expires: never usage: SC
trust: ultimate validity: ultimate
ssb cv25519/D76499B8
created: 2026-03-25 expires: never usage: E
ssb ed25519/2AAA329B
created: 2026-03-25 expires: never usage: S
[ultimate] (1) John Doe <john@doe.net>
[ unknown] (2)* John Doe <john@doe.org>
gpg> quit
Save changes? (y/N) y
Trust
Sign a new key with an old one:
gpg --default-key 57FAD989 --sign-key 4AFFB5E4
sec ed25519/4AFFB5E4
created: 2026-03-25 expires: never usage: SC
trust: ultimate validity: ultimate
ssb cv25519/D76499B8
created: 2026-03-25 expires: never usage: E
ssb ed25519/2AAA329B
created: 2026-03-25 expires: never usage: S
[ultimate] (1). John Doe <john@doe.org>
[ultimate] (2) John Doe <john@doe.net>
Really sign all user IDs? (y/N) y
gpg: using "57FAD989" as default secret key for signing
sec ed25519/4AFFB5E4
created: 2026-03-25 expires: never usage: SC
trust: ultimate validity: ultimate
4960E99609DA1753CC6798800DB4D7504AFFB5E4
John Doe <john@doe.org>
John Doe <john@doe.net>
Are you sure that you want to sign this key with your
key "John Doe <john.doe@yahoo.com>" (57FAD989)
Really sign? (y/N) y
Backup
Export public and private keys to ascii file:
gpg --export --armor 4AFFB5E4 > gpg-pub.asc
gpg --export-secret-keys --armor 4AFFB5E4 > gpg-priv.asc
Import public and private keys:
gpg --import gpg-pub.asc
gpg --import gpg-priv.asc
Deletion
If keys have been generated but not published, they can be deleted:
gpg --list-secret-keys
[keyboxd]
---------
sec ed25519/4AFFB5E4 2026-03-25 [SC]
4960E99609DA1753CC6798800DB4D7504AFFB5E4
uid [ultimate] John Doe <john@doe.net>
ssb cv25519/D76499B8 2026-03-25 [E]
58C2231CAEAF923DB403051E3CFD617FD76499B8
gpg --delete-secret-key 4AFFB5E4
gpg --delete-key 4AFFB5E4