Hello, I would like to automate the generation of GPG master keys (I have hundreds of smartcards to configure for employees). I'm using the default GPG from CentOS 7 (gnupg 2.0.22).
Ideally, I would like to have: - 1 masterkey with only the "certify" usage, stored offline. - 1 subkey with only "encryption" usage, backuped offline, imported on the smartcard. - 1 subkey with only "authenticate" usage, generated on the smartcard. - 1 subkey with only "sign" usage, generated on the smartcard. I guess this is a rather regular setup. Now my users are not super tech-savvy, so ideally I would like to generate the initial keys and configure the smart card before giving them. I first tried to generate the master keys using the batch mode, but I can't find a way to generate master keys with only "certify" usage. Quoting the documentation: Key-Usage: usage-list Space or comma delimited list of key usages. Allowed values are ‘encrypt’, > ‘sign’, and ‘auth’. This is used to generate the key flags. Please make sure that the algorithm > is capable of this usage. Note that OpenPGP requires that all primary keys > are capable of certification, so no matter what usage is given here, the > ‘cert’ flag will be on. If no ‘Key-Usage’ is specified and the ‘Key-Type’ > is not ‘default’, all allowed usages for that particular algorithm are > used; if it is not given but ‘default’ is used the usage will be ‘sign’. So "cert" is a default for primary-keys. If I do not provide any "Key-Usage", all usages will be set. If I do provide a "Key-Usage", then my master key is not "certify only" anymore. Is there something I missed here? Currently, I fallback to writing an expect script to automate the key generation. The handling of passphrases input with possibly different pinentry programs makes the expect script insane to read and fragile in practice. Any help or advice greatly appreciated! Cheers, Aurelien
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
