$ gpg --expert --full-gen-key
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(13) Existing key
(14) Existing key from card
Your selection? 9 <---- ECC for smaller key
Please select which elliptic curve you want:
(1) Curve 25519
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521
(6) Brainpool P-256
(7) Brainpool P-384
(8) Brainpool P-512
(9) secp256k1
Your selection? 1 <----
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 3y <----
Key expires at Fri Jun 28 20:17:27 2024 UTC
Is this correct? (y/N) y <----
GnuPG needs to construct a user ID to identify your key.
Real name: Example User <----
Email address: user@example.com <----
Comment: <----
You selected this USER-ID:
"Example User <user@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O <----
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 9C9FD267C51419DA marked as ultimately trusted
gpg: directory '/root/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/1F3E4E51C954EE281DF0C0D19C9FD267C51419DA.rev'
public and secret key created and signed.
pub ed25519 2021-06-29 [SC] [expires: 2024-06-28]
1F3E4E51C954EE281DF0C0D19C9FD267C51419DA
uid Example User <user@example.com>
sub cv25519 2021-06-29 [E] [expires: 2024-06-28]
$ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2024-06-28
/root/.gnupg/pubring.kbx
------------------------
pub ed25519 2021-06-29 [SC] [expires: 2024-06-28]
1F3E4E51C954EE281DF0C0D19C9FD267C51419DA
uid [ultimate] Example User <user@example.com>
sub cv25519 2021-06-29 [E] [expires: 2024-06-28]
Den Schlüssel auf
hochladen.
$ gpg --armor --export 1F3E4E51C954EE281DF0C0D19C9FD267C51419DA
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEYNt/5RYJKwYBBAHaRw8BAQdAkRbi9Dnrsohw1Ks9hLVFitRn/hCq+o2un7sJ
1ow1e0G0H0V4YW1wbGUgVXNlciA8dXNlckBleGFtcGxlLmNvbT6IlgQTFggAPhYh
BB8+TlHJVO4oHfDA0Zyf0mfFFBnaBQJg23/lAhsDBQkFo5qABQsJCAcCBhUKCQgL
AgQWAgMBAh4BAheAAAoJEJyf0mfFFBnaYBQBAJSn1Cr1SSCvuOWhWYRsFjfZjyox
HxYl5ZwofB5NqL8/AQD/CokIIkbbRfe2xaV9nGIHr9EUcd7so+hMG6KPpVV+C7g4
BGDbf+USCisGAQQBl1UBBQEBB0CBWKmyUtyeQdx+yMDSMcwwMgx1uULailiA5psP
7PLmPAMBCAeIfgQYFggAJhYhBB8+TlHJVO4oHfDA0Zyf0mfFFBnaBQJg23/lAhsM
BQkFo5qAAAoJEJyf0mfFFBna64gA/0ZImxinEFRKzqYnaE4L4scrSZ7s8pG8KE9s
wWCnIX2oAP9L7UQnY2I1XtGJZneHmnr6lU9R4opBq4OxhRkfLesNDw==
=LOSD
-----END PGP PUBLIC KEY BLOCK-----
Beispiel: Auf säurefreiem Papier (Archivpapier) drucken und sicher aufbewahren.
$ gpg --armor --export-secret-key 1F3E4E51C954EE281DF0C0D19C9FD267C51419DA
-----BEGIN PGP PRIVATE KEY BLOCK-----
lIYEYNt/5RYJKwYBBAHaRw8BAQdAkRbi9Dnrsohw1Ks9hLVFitRn/hCq+o2un7sJ
1ow1e0H+BwMC4tFnuguT8Yj/gTtaTQxEkZpF+rVIqyaheONKVw/9z7nM+2C+oACZ
mOnpS6B778iAoaznAtY/lUQDucIvGmu90lGZHnxKF2Wd0ULtVFQLu7QfRXhhbXBs
ZSBVc2VyIDx1c2VyQGV4YW1wbGUuY29tPoiWBBMWCAA+FiEEHz5OUclU7igd8MDR
nJ/SZ8UUGdoFAmDbf+UCGwMFCQWjmoAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AA
CgkQnJ/SZ8UUGdpgFAEAlKfUKvVJIK+45aFZhGwWN9mPKjEfFiXlnCh8Hk2ovz8B
AP8KiQgiRttF97bFpX2cYgev0RRx3uyj6Ewboo+lVX4LnIsEYNt/5RIKKwYBBAGX
VQEFAQEHQIFYqbJS3J5B3H7IwNIxzDAyDHW5QtqKWIDmmw/s8uY8AwEIB/4HAwI3
x1ypTbjvev8UGyaWD+utJvbvvGF091Vp7Nxbvtxq+hXKYN7iA91g78cofsEhIbK6
ALaGkry4fdqncgAf3SIQQH61b2poLdYAq889Sw3SiH4EGBYIACYWIQQfPk5RyVTu
KB3wwNGcn9JnxRQZ2gUCYNt/5QIbDAUJBaOagAAKCRCcn9JnxRQZ2uuIAP9GSJsY
pxBUSs6mJ2hOC+LHK0me7PKRvChPbMFgpyF9qAD/S+1EJ2NiNV7RiWZ3h5p6+pVP
UeKKQauDsYUZHy3rDQ8=
=EFvB
-----END PGP PRIVATE KEY BLOCK-----
$ cat /root/.gnupg/openpgp-revocs.d/1F3E4E51C954EE281DF0C0D19C9FD267C51419DA.rev
This is a revocation certificate for the OpenPGP key:
pub ed25519 2021-06-29 [S] [expires: 2024-06-28]
1F3E4E51C954EE281DF0C0D19C9FD267C51419DA
uid Example User <user@example.com>
A revocation certificate is a kind of "kill switch" to publicly
declare that a key shall not anymore be used. It is not possible
to retract such a revocation certificate once it has been published.
Use it to revoke this key in case of a compromise or loss of
the secret key. However, if the secret key is still accessible,
it is better to generate a new revocation certificate and give
a reason for the revocation. For details see the description of
of the gpg command "--generate-revocation" in the GnuPG manual.
To avoid an accidental use of this file, a colon has been inserted
before the 5 dashes below. Remove this colon with a text editor
before importing and publishing this revocation certificate.
:-----BEGIN PGP PUBLIC KEY BLOCK-----
Comment: This is a revocation certificate
iHgEIBYIACAWIQQfPk5RyVTuKB3wwNGcn9JnxRQZ2gUCYNt/8gIdAAAKCRCcn9Jn
xRQZ2tb3AQDMUZX7X2D104iaoK3K3v+O0slW2sInAwuRzNlPyTn/vQD/SSciNTfo
LEEOktpyRZZb/r2saPURt0fhaMbHunEEegE=
=9dLj
-----END PGP PUBLIC KEY BLOCK-----
Sign (approve) somebody elses key:
ABSOLUTELY REQUIRED: Validate key the retrieved key using 2nd channel (Video, In-Person, …). We are using a public keyserver!
Check if you did indeed do step 3.
Sign key