====== GnuPG Notes and Best Practices ======

Create a strong 4096-bit RSA key. In the future when a more modern elliptic curve key is standard for OpenPGP.  These instructions largely follow 

<code sh>
sguy@helium:~$ gpg --full-gen-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/home/sguy/.gnupg' created
gpg: keybox '/home/sguy/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Fri Dec 18 23:35:04 2020 EST
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Some Guy
Email address: sguy@quay.net
Comment: 
You selected this USER-ID:
    "Some Guy <sguy@quay.net>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/sguy/.gnupg/trustdb.gpg: trustdb created
gpg: key FEDCBA0987654321 marked as ultimately trusted
gpg: directory '/home/sguy/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/sguy/.gnupg/openpgp-revocs.d/1234567890ABCDEF111000FEDCBA0987654321.rev'
public and secret key created and signed.

pub   rsa4096 2018-12-20 [SC] [expires: 2020-12-19]
      1234567890ABCDEF111000FEDCBA0987654321
uid                      Some Guy <sguy@quay.net>
sub   rsa4096 2018-12-20 [E] [expires: 2020-12-19]


sguy@helium:~/.gnupg$ cat gpg.conf 
keyid-format 0xlong
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed


sguy@helium:~$ gpg --edit-key sguy@quay.net
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2020-12-19
sec  rsa4096/0xFEDCBA0987654321
     created: 2018-12-20  expires: 2020-12-19  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/0xFEDCBA0987654322
     created: 2018-12-20  expires: 2020-12-19  usage: E   
[ultimate] (1). Some Guy <sguy@quay.net>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 23m
Key expires at Sun Nov  8 23:50:18 2020 EST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/0xFEDCBA0987654321
     created: 2018-12-20  expires: 2020-12-19  usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/0xFEDCBA0987654322
     created: 2018-12-20  expires: 2020-12-19  usage: E   
ssb  rsa4096/0xFEDCBA0987654323
     created: 2018-12-20  expires: 2020-11-09  usage: S   
[ultimate] (1). Some Guy <sguy@quay.net>

gpg> save

</code>

===== Reference =====

  * https://riseup.net/en/security/message-security/openpgp/best-practices
  * http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
  * https://liquidat.wordpress.com/2013/05/07/howto-changing-the-expiry-date-of-gpg-keys/
  * https://alexcabal.com/creating-the-perfect-gpg-keypair
  * http://www.connexer.com/articles/openpgp-subkeys