Creating a new GPG key

The following instructions provide a guide to generate a GnuPG key and are based, with permission, on a post to Ana's blog.

$ gpg --list-keys --with-subkey-fingerprint  7A33ECAA188B96F27C917288B3464F896AA15948
pub   rsa4096 2009-05-10 [SC]
      7A33ECAA188B96F27C917288B3464F896AA15948
uid           [ unknown] Ana Beatriz Guerrero López <ana@ekaia.org>
uid           [ unknown] Ana Beatriz Guerrero López <ana@debian.org>
sub   rsa4096 2009-05-10 [E]
      3626E7E07292B683510AF413FAD83EDD2497B8B2

As a side note, we have been often asked why do we mention 2048 bits. We do prefer 4096 bit keys, and if you don't have a reason to require a 2048 bit key, we'd be much happier having the 4096 bit ones. We know of many smartcards that are able to hold only 2048 bit keys, however, and their use is accepted.

Please note that the requirement to migrate away from DSA keys to RSA keys is not only because of the key length, but because of the stronger algorithm as well. (There are classes of failure in traditional DSA that are not present in RSA)

Install Debian gpg package

Ensure the gpg Debian package is installed, providing the GnuPG command line interface.

Update ~/.gnupg/gpg.conf

With GnuPG 2.x , the default options are recommended, and users must simply keep their software up to date. Previously tweaked configurations may be less secure than the defaults, and should be reviewed or deleted.

Create key

user@debian10buster:~$ gpg --gen-key --default-new-key-algo=rsa4096/cert,sign+rsa4096/encr
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: Test User
Email address: test@example.org
You selected this USER-ID:
    "Test User <test@example.org>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key B9ACCA8647EEE39C marked as ultimately trusted
gpg: directory '/home/user/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/user/.gnupg/openpgp-revocs.d/10AD8FDD6D88F8AB92E6158BB9ACCA8647EEE39C.rev'
public and secret key created and signed.

pub   rsa4096 2021-05-22 [SC] [expires: 2023-05-22]
      10AD8FDD6D88F8AB92E6158BB9ACCA8647EEE39C
uid                      Test User <test@example.org>
sub   rsa4096 2021-05-22 [E] [expires: 2023-05-22]

user@debian10buster:~$

Add other UID

If one needs to add more than one email address to their key, the --edit-key menu may be used along with the adduid task:

user@debian10buster:~$ gpg --edit-key 10AD8FDD6D88F8AB92E6158BB9ACCA8647EEE39C
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-05-22
sec  rsa4096/B9ACCA8647EEE39C
     created: 2021-05-22  expires: 2023-05-22  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/D82D266547A12BB5
     created: 2021-05-22  expires: 2023-05-22  usage: E
[ultimate] (1). Test User <test@example.org>

gpg> adduid
Real name: Test User Business
Email address: test@business.example
Comment: 
You selected this USER-ID:
    "Test User Business <test@business.example>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

sec  rsa4096/B9ACCA8647EEE39C
     created: 2021-05-22  expires: 2023-05-22  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/D82D266547A12BB5
     created: 2021-05-22  expires: 2023-05-22  usage: E
[ultimate] (1)  Test User <test@example.org>
[ unknown] (2). Test User Business <test@business.example>

gpg> save
user@debian10buster:~$

Set primary UID

(Only needed if you've added more than one UID as above)

user@debian10buster:~$ gpg --edit-key 10AD8FDD6D88F8AB92E6158BB9ACCA8647EEE39C
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2023-05-22
sec  rsa4096/B9ACCA8647EEE39C
     created: 2021-05-22  expires: 2023-05-22  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/D82D266547A12BB5
     created: 2021-05-22  expires: 2023-05-22  usage: E
[ultimate] (1). Test User Business <test@business.example>
[ultimate] (2)  Test User <test@example.org>

gpg> uid 2

sec  rsa4096/B9ACCA8647EEE39C
     created: 2021-05-22  expires: 2023-05-22  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/D82D266547A12BB5
     created: 2021-05-22  expires: 2023-05-22  usage: E
[ultimate] (1). Test User Business <test@business.example>
[ultimate] (2)* Test User <test@example.org>

gpg> primary

sec  rsa4096/B9ACCA8647EEE39C
     created: 2021-05-22  expires: 2023-05-22  usage: SC
     trust: ultimate      validity: ultimate
ssb  rsa4096/D82D266547A12BB5
     created: 2021-05-22  expires: 2023-05-22  usage: E
[ultimate] (1)  Test User Business <test@business.example>
[ultimate] (2)* Test User <test@example.org>

gpg> save
user@debian10buster:~$

Send new key to key server

gpg --keyserver pool.sks-keyservers.net --send-key 90A808023328BD4E58143AC5E6CB7939B6C3AAB7
Note that since GnuPG 2.1, the dirmngr utility is invoked by gpg to access OpenPGP servers and perform the upload and download of keys.