What is GPG

GPG or GNU Privacy Guard is the GNU implementation of the OpenPGP protocol

Creating an Eliptic Curve Key

if you are creating new cryptographic Keys it’s recommended to use Quantom Prove Algoritm’s such as Eliptic Curve.


to start run this command

gpg --full-gen-key --expert

now select number 11 for most Customizable ECC Key.

gpg (GnuPG) 2.4.4; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC (sign and encrypt) *default*
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
  (14) Existing key from card
Your selection? 11


by default the Certificate also has Signing capabilities, to remove the Signing Capability Toggle it again by typing S

Possible actions for this ECC key: Sign Certify Authenticate 
Current allowed actions: Sign Certify 

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? S


after we removed the Signing Capability from the Certificate we can type Q to go to the next step

Possible actions for this ECC key: Sign Certify Authenticate 
Current allowed actions: Certify 

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? Q


Here you can choose the Curve you want to use, if you don’t know what these are stick with the default option

Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (2) Curve 448
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 1


Here you can specify the Expiration Date of your Key.

i personaly don’t add an Expiration date to my certificate part of my key, you can add one to the subkeys later if you wish

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0


In case you want to have a Key that does not expire you would need to confirm that with a y

Key does not expire at all
Is this correct? (y/N) y


Here you are prompted to give

  • Your Name
  • Email Addresse
  • and a Comment

    here you can leave the Comment field empty

after giving your information, you can hit O for Okey

GnuPG needs to construct a user ID to identify your key.

Real name: John Doe
Email address: example@example.org
Comment:                          
You selected this USER-ID:
    "John Doe <example@example.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O


and now the Key should be Generated, however you can’t Sign/Encrypt data yet, since you don’t have this capabilities yet in your Key, for that you would need to create Subkeys to do that specific task.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/5C4C7E7DA7590AB6F65311F3AC79B735D907815B.rev'
public and secret key created and signed.

pub   ed25519 2024-05-06 [C]
      5C4C7E7DA7590AB6F65311F3AC79B735D907815B
uid                      John Doe <example@example.org>

/ #

Subkeys

--edit-key is the option to edit your key followed by the key’s ID or E-Mail.

for me it would be the following command

gpg --edit-key 5C4C7E7DA7590AB6F65311F3AC79B735D907815B

gpg (GnuPG) 2.4.4; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  ed25519/AC79B735D907815B
     created: 2024-05-06  expires: never       usage: C   
     trust: ultimate      validity: ultimate
[ultimate] (1). John Doe <example@example.org>

Signing Subkey Generation

addkey is the command to add new subkeys

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
  (10) ECC (sign only)
  (12) ECC (encrypt only)
  (14) Existing key from card
Your selection? 10

the default Curve is fine, we can leave it, just hit Enter

Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (4) NIST P-384
   (6) Brainpool P-256
Your selection?

When it comes to subkeys alot of sources may tell you to add an Expiration date, i personally don’t

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

and you have to confirm your choice twice with a y

Really create? (y/N) y

and now you have a key that has Signing Capability

Encrypting Subkey Generation

the process is very similar to the signing subkey generation, with few changes

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.


sec  ed25519/AC79B735D907815B
     created: 2024-05-06  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb  ed25519/A432A550FEDFA048
     created: 2024-05-14  expires: never       usage: S
[ultimate] (1). John Doe <example@example.org>

gpg> 

sec  ed25519/AC79B735D907815B
     created: 2024-05-06  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb  ed25519/A432A550FEDFA048
     created: 2024-05-14  expires: never       usage: S
[ultimate] (1). John Doe <example@example.org>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
  (10) ECC (sign only)
  (12) ECC (encrypt only)
  (14) Existing key from card
Your selection? 12
Please select which elliptic curve you want:
   (1) Curve 25519 *default*
   (4) NIST P-384
   (6) Brainpool P-256
Your selection?

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

Really create? (y/N) y

don’t forget to save your changes when you are done

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  ed25519/AC79B735D907815B
     created: 2024-05-06  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb  ed25519/A432A550FEDFA048
     created: 2024-05-14  expires: never       usage: S
ssb  cv25519/F1026CA440600CEC
     created: 2024-05-14  expires: never       usage: E
[ultimate] (1). John Doe <example@example.org>

gpg> save