Gpg Generate Key Batch Mode

Posted on by admin
  1. Gpg Generate Key Pair
  2. Create Gpg Key
gen-key-script

Nov 24, 2013  Generating More Secure GPG Keys: A Step-by-Step Guide (this post) Using an OpenPGP Smartcard with GnuPG In this post, I’ll will cover the generation of a new GPG key and removal of the primary key, one of two mitigation strategies mentioned in the previous post. When I run with out the -batch flag, gpg expects input. I'm hoping there is some flag to gpg that I've missed. Alternatively, a library (preferably python) that will interact with a key server would do. $ gpg -yes-output test.gpg -encrypt -recipient janedoe@abc.com test.out gpg: FC8B84A4: There is no assurance this key belongs to the named user pub 2048g/FC8B84A4 2006-05-16 jdoe@abc.com Primary key fingerprint: 3D8A 4A1C 2E78 386D B127 C705 47B3 C177 6E2B 6A83 Subkey fingerprint: 85C9 A419 B16C 4815 3C65 D8C3 A11E 62A3 FC8B 84A4 It is NOT certain that the key. The command -generate-key may be used along with the option -batch for unattended key generation. This is the most flexible way of generating keys, but it is also the most complex one. Consider using the quick key manipulation interface described in the previous subsection “The quick key manipulation. GnuPG uses a somewhat more sophisticated scheme in which a user has a primary keypair and then zero or more additional subordinate keypairs. The primary and subordinate keypairs are bundled to facilitate key management and the bundle can often be considered simply as one keypair.

Key-Type: 1
Key-Length: 2048
Subkey-Type: 1
Subkey-Length: 2048
Name-Real: Root Superuser
Name-Email: root@handbook.westarete.com
Expire-Date: 0
install.bash

GnuPG expects keys to be imported to the keychain, so gpg -import key-file it first. There are hacks using -keyring your-key-file, but simply importing the key file is the safer way to go. For scripted/programmed operations, best practice is to always denote the full fingerprint.

# Generate the key
gpg --batch --gen-key gen-key-script

commented Feb 13, 2014

Steam product activation key generator. Here's a page that describes the options for the gen-key script: http://www.gnupg.org/documentation/manuals/gnupg-devel/Unattended-GPG-key-generation.html

commented Feb 13, 2014

Originally I had a couple extra steps to use rng-tools to seed entropy from /dev/urandom. Apparently this is a bad idea because it will just feed bytes regardless of whether there's enough entropy. Here's where I got the original idea, and the subsequent discussion of why it's bad.

For new machines, we should generate the keys on our laptops where there's much more entropy to draw from, and then transfer them to the new server, just like we're currently doing with the encrypted data bag secret.

commented Feb 19, 2018

This is awesome, thank you.

commented Jan 23, 2019

I configured libvirt tu use /dev/urandom of the host: https://libvirt.org/formatdomain.html#elementsRng
That way keys generated within the VM should be ok.

commented Apr 9, 2019
edited

Thanks that was really helpful
I got what I needed from : https://www.gnupg.org/documentation/manuals/gnupg-devel/Unattended-GPG-key-generation.html

Sign up for freeto join this conversation on GitHub. Already have an account? Sign in to comment

gpg and gpg2 both fail when trying to sign a key on the keyring without input
from the terminal. Despite passing various combinations of --yes, --batch, and
--no-tty, gpg either fails or prompts /dev/tty for confirmation.

I was building a GUI that would help automate key-signing parties, but gpg won't
let my GUI fork a gpg subprocess to sign a key!!!

gpg2 --status-fd 2 --no-tty --yes --passphrase-fd 3 3</tmp/1 --sign-key moglen@
</tmp/2
gpg: Sorry, no terminal at all requested - can't get input

gpg2 --status-fd 2 --batch --yes --passphrase-fd 3 3</tmp/1 --sign-key moglen@
</tmp/2

pub 4096R/3E908FC3 created: 2010-12-21 expires: never usage: SC

sub 2048R/901254EE created: 2010-12-21 expires: never usage: A
sub 4096R/7294318C created: 2010-12-21 expires: never usage: E
[ unknown] (1). Eben Moglen <moglen@columbia.edu>
[ unknown] (2) Eben Moglen <eben@moglen.us>
[ unknown] (3) Eben Moglen <moglen@gnu.org>
[ unknown] (4) Eben Moglen <em21@columbia.edu>
[ unknown] (5) Eben Moglen <eben@softwarefreedom.org>
[ unknown] (6) Eben Moglen <moglen@softwarefreedom.org>

gpg: Sorry, we are in batchmode - can't get input

Gpg Generate Key Pair

Here's with gpg1:
gpg --status-fd 2 --yes --passphrase-fd 3 3</tmp/1 --sign-key moglen@ </tmp/2
Reading passphrase from file descriptor 3

pub 4096R/3E908FC3 created: 2010-12-21 expires: never usage: SC

sub 2048R/901254EE created: 2010-12-21 expires: never usage: A
sub 4096R/7294318C created: 2010-12-21 expires: never usage: E
[ unknown] (1). Eben Moglen <moglen@columbia.edu>
[ unknown] (2) Eben Moglen <eben@moglen.us>
[ unknown] (3) Eben Moglen <moglen@gnu.org>
[ unknown] (4) Eben Moglen <em21@columbia.edu>
[ unknown] (5) Eben Moglen <eben@softwarefreedom.org>
[ unknown] (6) Eben Moglen <moglen@softwarefreedom.org>

Really sign all user IDs? (y/N)

Create Gpg Key

I am happy to propose a patch if you're interested in fixing this. It looks
like my GUI will have to make a pseudo-tty and feed it 'y's, it I have to work
around this!!!