First make sure you're running gpg 2.X for the following steps. For this setup we use a
gpg.conf from here. Download and place at
Then it's time to generate the primary key:
gpg --expert --full-gen-key
For settings we go with: RSA (8), restrict it to only certify. We set it to 4096 bits and expire in two years. Expiration can be renewed, even after a key expired, but you don't want someone to steal your infinitely valid keys. Real Name is up to you, don't use comments. For passphrase this is a good guide.
A default revocation certificate was created (see terminal output). Print it out and store it somewhere safe.
No it's time to generate subkeys to use for signing, encryting and authentication.
gpg --expert --edit-key KEY-ID-HERE
addkey - RSA (sign/encrypy/set own, then remove all but authenticate) only - 4096 - 2y
Then quit and save.
gpg --list-keys KEY-ID you should now see the corresponding keys.
Now first export the public key to share with others:
gpg --export --armor KEY-ID > key.pub.asc
Then the secret keys to keep offline:
gpg --export-secret-keys --armor KEY-ID > key.sec.asc
And finally the subkeys for daily use:
gpg --export-secret-subkeys --armor KEY-ID > key.sec_sub.asc
Remove the primary key from the keyring:
gpg --delete-secret-keys KEY-ID
and import subkeys back
gpg --import key.sec_sub.asc
If everything worked outh
--list-secret-keys should now list
#sec next to your primary key.
To re-encrypt your pass data use
pass init KEY-ID
For reference check here.