gpg --version

First make sure you're running gpg 2.X for the following steps. For this setup we use a gpg.conf from here. Download and place at .gnupg/gpg.conf.

Then it's time to generate the primary key:

gpg --expert --full-gen-key

For settings we go with: RSA (8), restrict it to only certify. We set it to 4096 bits and expire in two years. Expiration can be renewed, even after a key expired, but you don't want someone to steal your infinitely valid keys. Real Name is up to you, don't use comments. For passphrase this is a good guide.

A default revocation certificate was created (see terminal output). Print it out and store it somewhere safe.

No it's time to generate subkeys to use for signing, encryting and authentication.

gpg --expert --edit-key KEY-ID-HERE

addkey - RSA (sign/encrypy/set own, then remove all but authenticate) only - 4096 - 2y

Then quit and save.
Looking at gpg --list-keys KEY-ID you should now see the corresponding keys.

Now first export the public key to share with others:

gpg --export --armor KEY-ID >

Then the secret keys to keep offline:

gpg --export-secret-keys --armor KEY-ID > key.sec.asc

And finally the subkeys for daily use:

gpg --export-secret-subkeys --armor KEY-ID > key.sec_sub.asc

Remove the primary key from the keyring:

gpg --delete-secret-keys KEY-ID

and import subkeys back

gpg --import key.sec_sub.asc

If everything worked outh --list-secret-keys should now list #sec next to your primary key.

To re-encrypt your pass data use pass init KEY-ID

For reference check here.