GPGen – Automatic GPG Key and Revocation Certificate Generator

I found myself needing a script to quickly generate armored keys and cert while securing the process as much as possible. I’d like to add some permissions restricting the config files to the user as well as a fork to leave the rings in place.

You can find the current version on Github or a cleaned version below:


# Custom Variables

NAME=”Your Name”;
COMMENT=”Generated by GPGen”;
EMAIL=”[email protected]”;

# Static Variables

GPGHOME=”–homedir $HOME/.gnupg”;

export PATH=”/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/local/share/bin:/usr/local/share/sbin”

# Check for gnupg and install if not already

dpkg -l gnupg|grep -q gnupg||sudo apt-get install -y gnupg

# Check for secure-delete and install if not already

dpkg -l secure-delete|grep -q secure-delete||sudo apt-get install -y secure-delete

# Write gnupg parameters to a file

echo -n “%echo GPGen is working…please wait for a few moments while we generate some entropy.

Key-Type: RSA
Key-Length: 4096
Name-Real: $NAME
Name-Comment: $COMMENT
Name-Email: $EMAIL
Expire-Date: 0
%pubring pubring.gpg
%secring secring.gpg

# Do a commit or dry-run here

%echo done ” >> ${PWD}/gpgen.conf

# Generate entropy via sha256sum calculations

(find / -xdev -type f -exec sha256sum {} >/dev/null \; 2>&1) &
export ENTROPY=$!

# Run gnupg

$GPG $GPGHOME –no-tty –batch –gen-key ${PWD}/gpgen.conf

#Backup existing rings

mv “$HOME/.gnupg/pubring.gpg” “$HOME/.gnupg/pubring.gpg.bak”
mv “$HOME/.gnupg/secring.gpg” “$HOME/.gnupg/secring.gpg.bak”

#Backup gpg.gonf and write new options for newly generated rings

mv “$HOME/.gnupg/gpg.conf” “$HOME/.gnupg/gpg.conf.bak”
echo -n “no-default-keyring
keyring ${PWD}/pubring.gpg
secret-keyring ${PWD}/secring.gpg ” >> $HOME/.gnupg/gpg.conf

# Export the keys

$GPG $GPGHOME –export -a –output ${PWD}/public.asc
$GPG $GPGHOME –export-secret-key -a –output ${PWD}/secret.asc

# Write username to file

gpg -k | cut -c13-20 | sed -n ‘3p’ > ${PWD}/userid.tmp

# Generate a revocation certificate


GenRevoke() {

if [ -f “$INPUTFILE” ] ; then rm -f “$INPUTFILE”; fi
touch “$INPUTFILE”
echo “y” > “$INPUTFILE”;echo “$CODE” >> “$INPUTFILE” ;echo “$REASON” >> “$INPUTFILE”;echo “” >> “$INPUTFILE”;echo “y” >> “$INPUTFILE”;echo >> “$INPUTFILE”;
$GPG $GPGHOME –no-tty –command-fd 0 –status-fd 2 -a -o “./$CODE – $REASON.asc” –gen-revoke $KEYID < “$INPUTFILE”

# Securely remove revocation options file


GenRevoke `cat userid.tmp` 0 “General Revocation Certificate”;

echo Please wait for a moment while we securely remove temporary configuration and keyrings…

# Securely remove our gpg.conf and restore backup

srm $HOME/.gnupg/gpg.conf
mv “$HOME/.gnupg/gpg.conf.bak” “$HOME/.gnupg/gpg.conf”

# Securely remove the keyrings we just generated and restore backups

srm ${PWD}/pubring.gpg
srm ${PWD}/secring.gpg
mv “$HOME/.gnupg/pubring.gpg.bak” “$HOME/.gnupg/pubring.gpg”
mv “$HOME/.gnupg/secring.gpg.bak” “$HOME/.gnupg/secring.gpg”

# Securely remove GPGen configuration and userid.tmp

srm ${PWD}/gpgen.conf
srm ${PWD}/userid.tmp

echo All done! There are now 3 files in the same directory as GPGen: Your public key, your private key and your revocation certificate. PLEASE IMMEDIATELY SECURE THE PRIVATE KEY AND REVOCATION CERTIFICATE!

Leave a Reply

Your email address will not be published. Required fields are marked *