Usage example of --generate-key
The --generate-key option (or its alias --gen-key) is the standard command
to create a new key. It will ask for the required parameters and use the
current default values for the other parameters:
~$ gpg --generate-key
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.
Real name: Herschel Krustofski
Email address: krusty@example.org
You selected this USER-ID:
"Herschel Krustofski <krusty@example.org>"
Change (N)ame, (E)mail, or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/home/krusty/.gnupg/openpgp-revocs.d/8559231A339CE807F6273C79D300A9185D446A3F.rev'
public and secret key created and signed.
pub rsa3072 2023-11-14 [SC] [expires: 2025-11-13]
8559231A339CE807F6273C79D300A9185D446A3F
uid Herschel Krustofski <krusty@example.org>
sub rsa3072 2023-11-14 [E] [expires: 2025-11-13]
Note that, depending on the activity of the computer you are generating the key on, the part of the message inciting you to perform other actions to generate random bytes can be repeated several times (until enough random data are read to generate the key).
A dialog will also appear (usually in the form of a graphical dialog, not shown in the output above) to choose a new password.
Usage example of --quick-generate-key
In its simplier form, this option can be used only with a user id (usually in
the form FirstName LastName <user@domain>) to quickly generate a new key.
When called from a terminal, GnuPG will then ask for a confirmation and then immediately proceed to the generation of the key using the default algorithm, usage and expiration date :
~$ gpg --quick-generate-key "Herschel Krustofski <krusty@example.org>"
About to create a key for:
"Herschel Krustofski <krusty@example.org>"
Continue? (Y/n)
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/home/krusty/.gnupg/openpgp-revocs.d/F56FCA6280B943E9B2F1EE1495E10A06B75A3863.rev'
public and secret key created and signed.
pub rsa3072 2023-11-14 [SC] [expires: 2025-11-13]
F56FCA6280B943E9B2F1EE1495E10A06B75A3863
uid Herschel Krustofski <krusty@example.org>
sub rsa3072 2023-11-14 [E]
As with the option --generate-key, a dialog will also appear (usually in the
form of a graphical window, not shown in the output above) to choose a new
password.
The option --quick-generate-key accepts the following arguments:
user-id [algo [usage [expire]]]
A different expiration date can be specified by using the value default for
the algorithm and usage values. The date itself can be specified as the
expire argument value in different formats:
- use the ISO formats
YYYY-MM-DDorYYYYM‐MDDThhmmssto specify a fixed date; - use
seconds=N,Nd,Nw,Nm, orNyto make the key expire in N seconds, N days, N weeks, N months, or N years respectively; - the values
never,nonecan be used for no expiration date (the key will be valid indefinitely); - if
-or no value is provided, the key will expire in the default interval (usually 1 year on a default configuration).
Therefore, to generate a new key that expires in two years, use the following command:
gpg --quick-gen-key "Herschel Krustofski <krusty@example.org>" default default 2y
Usage example of --full-generate-key
This option will generate a new key pair with dialogs for all options (whenever
a default value is available, pressing Enter will use it and continue the
process):
~$ gpg --full-generate-key
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)
Requested keysize is 3072 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed Nov 13 17:53:03 2024 CET
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Herschel Krustofski
Email address: krusty@example.org
Comment:
You selected this USER-ID:
"Herschel Krustofski <krusty@example.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/home/krusty/.gnupg/openpgp-revocs.d/E8E8A9017162381A97C1F51741A20960CD84C3F9.rev'
public and secret key created and signed.
pub rsa3072 2023-11-14 [SC] [expires: 2024-11-13]
E8E8A9017162381A97C1F51741A20960CD84C3F9
uid Herschel Krustofski <krusty@example.org>
sub rsa3072 2023-11-14 [E] [expires: 2024-11-13]
As with the other options, a dialog will also appear (usually in the form of a graphical window, not shown in the output above) to choose a new password.
If you use the commands proposed on this page on your system, you will probably get the following additional lines at the top of their output:
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
If you want to suppress this message, use the --no-greeting option, or
uncomment or add the following line in your GnuPG configuration file
.gnupg/gpg.conf in your home directory:
no-greeting