Subkey Generation / SmartCard
David Gueguen
davidgueguen2000 at yahoo.fr
Sat Apr 15 09:25:48 CEST 2017
Hello Christoph,
with new gpg version version (>2.15) you can more easily generates sub keys
* Herafter are add subkeys to main keyring $key_id each with RSA1024 and
1 for Sign, 1 for Encrypt, 1 for Auth
echo $var_pass_poem | gpg2 --no-verbose --pinentry-mode loopback
--batch --no-tty --yes --passphrase-fd 0 --quick-addkey --passphrase ''
$key_id rsa1024 sign 1y
echo $var_pass_poem | gpg2 --no-verbose --pinentry-mode loopback
--batch --no-tty --yes --passphrase-fd 0 --quick-addkey --passphrase ''
$key_id rsa1024 encrypt 1y
echo $var_pass_poem | gpg2 --no-verbose --pinentry-mode loopback
--batch --no-tty --yes --passphrase-fd 0 --quick-addkey --passphrase ''
$key_id rsa1024 auth 1y
the " echo $var_pass_poem | " trick allow you to enter the pass poem as
variable and then to not have any keyboard interaction
* Here is the automated keytocard (with keyboard interaction) check that
the exported keys are the good ones ...
local cmd="key 2\nkeytocard\n1\ny\nkey 2\nkey 3\nkeytocard\n2\ny\nkey
3\nkey 4\nkeytocard\n3\ny\nsave\nY\n"
echo -e $cmd | gpg2 --no-verbose --command-fd 0 --status-fd 2
--edit-key $key_id
* btw: here is how I generate main keyring:
echo "
Key-Type: $var_key_type
Key-Usage: sign cert
Key-Length: $var_key_lenght
Subkey-Type: $var_key_type
Subkey-Usage: encrypt
Subkey-Length: $var_key_lenght
Name-Real: $var_name
Name-Comment: $var_comment
Name-Email: $var_mail
Keyserver: $var_web_path
Expire-Date: $var_expiracy
Passphrase: $var_pass_poem
Preferences: $var_pref
" > gen_key_script # creating SC and E keys
gpg2 --batch --full-gen-key gen_key_script
I am also trying to make gpg card ready to go in a automated way
https://github.com/bourinus/gpg_SmartCard_generation
Hope this helps,
Best rgds,
david
On 14/04/2017 20:47, Christoph J wrote:
> I am trying to batch provision yubikeys.
>
> Using the --batch, I can generate the initial key, but I am unable to
> add more than a single subkey.
>
> Is there a way to batch provision subkeys, specifying the usage
> (signing, encryption, auth) without havi
ng to go into --edit-key /
> interactive mode?
>
> On the same topic, is there a way to do 'keytocard', again without
> having to do --edit-key --> toggle --> keytocard interactively?
>
> Any insight on this would be most helpful. Thanks!
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
More information about the Gnupg-users
mailing list