Gpg Generate Key In Batch Mode
- Gpg Generate Key Command Line
- Gpg Generate Key
- Create Gpg Key
- Gpg Generate Key In Batch Mode Windows 10
- Delete Gpg Key
- If you are on version 2.1.17 or greater, paste the text below to generate a GPG key pair. $ gpg -full-generate-key; If you are not on version 2.1.17 or greater, the gpg -full-generate-key command doesn't work. Paste the text below and skip to step 6. $ gpg -default-new-key-algo rsa4096 -gen-key.
- Decrypt file using gpg in batch mode when passphrase includes a “!”? Ask Question Asked 6 years, 6 months ago. Active 4 years, 6 months ago.
- When creating GPG key, the following message will be output and console will be hung. Not enough random bytes available. Please do some other work to give.
It is likely that you are running out of entropy. Key generation requires a lot of very high-quality random numbers; without the activity of the user to provide high-quality randomness to the computer, the entropy pool is being exhausted by generation, and the generation process just hangs, waiting for.
Skip to main contentGPG noninteractive batch sign, trust and send gnupg keys
Published: 01-06-2018 Author: Remy van Elst Text only version of this article
Table of Contents
Recently a team I consult for started using a shared password manager, pass. Ituses GPG keys and presents itself as the standard unix password manager, but inessence it's nothing more than a wrapper around GPG encrypted files. We all hadto generate new keys since the team is new and we were not allowed to useexisting keys. Using a new, empty keyring, I generated my key and imported theirkeys. I wanted to trust, sign and publish all keys to a keyserver, this articleshows how to do that noninteractively in batch form. Saves me doing the samething four times.
Gpg Generate Key Command Line
If you ever want to send me something encrypted, you can find my GPG and S/MIMEkeys here
Gpg Generate Key
I'm using the following GPG version on Ubuntu 18.04:
Do note that I started with an empty slate (new key, empty gnupg keyring) andwith all people in the same room. Don't do this on your regular GnuPG keyringsince then you might not want to trust and sign everyone's key. Normally youwould just sign and publish the keys from people you actually verified theidentity of, at a keysigning party for example.
Machine readable format
I started with an empty keyring, generated a new secret key and then importedthe other keys from a folder (gpg --import *.asc
). The next step is to trustthese keys, sign them and upload them to a keyserver. I can do that by handusing the CLI, but that doesn't scale. This time it's three keys, the next timeit will be a hundred. Let's find a way to automate that.
Using gpg --list-keys
I can get a list of keys and their ID's:
Parsing shell command output in general is a bad idea since that can change.GnuPG addresses this in the manual page specifically:
Thank you to the GnuPG developers for doing this, if all software would be sospecific and clear that would save me a lot of time and effort.
The output --with-colons
looks like this:
This format is documented here. Reading that it seems I can safely searchfor 'fpr::::'. The change that someone names their key or comment that seemssmall to me.
Using awk
I can get the fingerprints, which I need in the next commands totrust, sign and upload the keys:
Printing just the fingerprints:
Trust the keys noninteractive in batch
Trusting a key involves going through a menu, setting a trust level andconfirming that. Using the flag --command-fd 0
we instruct GnuPG to acceptinput from STDIN, thus allowing us to use a pipe with the correct input. Thefollowing command batch trusts all keys ultimately:
The output looks like this:
The keys are now marked as trusted in the local trust database. We can continueon to sign them.
Signing the keys noninteractively in batch mode
Signing the keys tells other people that we verified the identity of the keyowners and trusting their keys, confirming that with a signature of our own key.Because we all were in a room together doing this I did verify their identity,thus vouching for their public keys.
This command signs all the keys found in the keyring:
Depending on how your key agent is set up it will prompt you on the command linefor the passphrase, or a GUI dialog window.
Output looks like this:
If you want to use a specific key to sign with, for example when you hae morethen 1 private key, add the --local-user
parameter:
Publishing the keys to a keyserver noninteractive in batch mode
Now that all keys are trusted and signed we can publish the result to akeyserver so that we can tell the entire world about these new trust relations.You probably are able to guess the command, it uses the same loop as before:
Output looks like below:
Create Gpg Key
That's all there is to it. Some shell commands chained together to save me a lotof time and effort. Just the way I like it.