Create an authentication subkey

Prerequisites

• Functional GPG setup with an existing keyring
• Basic level command-line skill

Create the subkey

1. Open a terminal

2. Run gpg to open the gpg subshell

   gpg --expert --edit-key <key-id> Expand source

   $ gpg --expert --edit-key 0xF63D830E71933501
   Secret key is available
   sec rsa2048/0xF63D830E71933501
   created: 2016-02-09 expires: never usage: SC
   trust: ultimate validity: ultimate
   ssb rsa2048/0xF298FDA5E820823A
   created: 2016-02-09 expires: never usage: E
   [ultimate] (1). Paul newman <coolHand@vt.edu>

3. Run the subcommand addkey

   addkey Expand source

   gpg> addkey

4. If you are running GnuPG classic (1.4) or stable (2.0), then you will be prompted for the master passphrase now. Enter it.

5. Choose an RSA key type with custom capabilities (option 8).

   8 Expand source

   Please select what kind of key you want:
      (3) DSA (sign only)
      (4) RSA (sign only)
      (5) Elgamal (encrypt only)
      (6) RSA (encrypt only)
      (7) DSA (set your own capabilities)
      (8) RSA (set your own capabilities)
     (10) ECC (sign only)
     (11) ECC (set your own capabilities)
     (12) ECC (encrypt only)
     (13) Existing key
   Your selection? 8

   Do not use DSA

   Recent releases of openSSH depreciated DSA host and user keys. Do NOT choose (7) DSA.

   ECC keys (GnuPG modern only)

   If you are using GnuPG modern (2.1), you will also have the option to use an elliptic-curve cryptography (ECC) key.

   ECC is thought to be more secure than RSA, however it is relatively new. Only choose this option if you know what you are doing. A few things to consider:

   • ECC has not had as much time to be vetted as RSA. New analyses may bring vulnerabilities to light.
   • You may hit compatibility issues
   • If you plan on using this key with a smart card, check the capabilities of the smart card.
   • Some of the options in creating your key will be different from this guide
   • Choose your curve carefully.

6. Set allowed actions to authenticate only

   s e a q Expand source

   Possible actions for a RSA key: Sign Encrypt Authenticate
   Current allowed actions: Sign Encrypt
      (S) Toggle the sign capability
      (E) Toggle the encrypt capability
      (A) Toggle the authenticate capability
      (Q) Finished
   Your selection? s
   Possible actions for a RSA key: Sign Encrypt Authenticate
   Current allowed actions: Encrypt
      (S) Toggle the sign capability
      (E) Toggle the encrypt capability
      (A) Toggle the authenticate capability
      (Q) Finished
   Your selection? e
   Possible actions for a RSA key: Sign Encrypt Authenticate
   Current allowed actions:
      (S) Toggle the sign capability
      (E) Toggle the encrypt capability
      (A) Toggle the authenticate capability
      (Q) Finished
   Your selection? a
   Possible actions for a RSA key: Sign Encrypt Authenticate
   Current allowed actions: Authenticate
      (S) Toggle the sign capability
      (E) Toggle the encrypt capability
      (A) Toggle the authenticate capability
      (Q) Finished
   Your selection? q

7. Set the key size (at least 2048)

   2048 Expand source

   RSA keys may be between 1024 and 4096 bits long.
   What keysize do you want? (2048) 2048
   Requested keysize is 2048 bits

   It may seem like a 4096 bit RSA keys would be twice as secure as a 2048 bit RSA keys, but this is not true. 2048 bit RSA keys contains about 112 bits of security, while 4096 bit RSA keys contain only about 129 bits of security.

   2048 bit RSA keys are thought to be sufficiently secure until about 2030.

   If you want to use this key on a smart card, check the capabilities of your card. A Yubikey NEO only supports up to 2048 bits, but a Yubikey 4 supports RSA 4096.

8. Set initial expiration of the key

   1y Expand source

   Please specify how long the key should be valid.
            0 = key does not expire
         <n>  = key expires in n days
         <n>w = key expires in n weeks
         <n>m = key expires in n months
         <n>y = key expires in n years
   Key is valid for? (0) 1y

   Expiration not fixed

   This is not a hard expiration. As long as you have the private key, you can issue a new signature on the key, indicating that it is valid for some extension of time.

9. Confirm the key expiration

   y Expand source

   Key expires at Thu 09 Feb 2017 03:06:46 PM EST
   Is this correct? (y/N) y

10. Confirm you really do want to create the key

    y Expand source

    Really create? (y/N) y

11. If you are running GnuPG modern (2.1), you will be promoted to enter a passphrase for this subkey. Reusing the passphrase from the master key is recommended. Either way, it should be strong, and memorable. If prompted, enter the passphrase for the master key.