gpg2 generates keys with one or several of the (S)igning, (E)ncryption, (C)ertification usages set. However, e.g. Enigmail creates a primary key also set for (A)uthentication, which GnuPG then shows. How can this be set/modified using gpg2? I can't find any command in --edit-keys, and when I create a subkey the only options are
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Since GnuPG 2.2.6 there's a hidden key-edit subcommand "change-usage" which does exactly that. Relevant commit.
Let's try this subcommand with a test key. Let's create one first:
mkdir /tmp/gpg-change-usage
chmod 700 /tmp/gpg-change-usage
gpg --homedir /tmp/gpg-change-usage --quick-generate-key someone@example.com rsa4096 cert 1d
Now notice that this new key is a certification only primary key.
$ gpg --homedir /tmp/gpg-change-usage -k
/tmp/gpg-change-usage/pubring.kbx
---------------------------------
pub rsa4096 2019-04-04 [C] [expires: 2019-04-05]
987BE3D9CF90B1C912A165734EBF4D26A937DE4C
uid [ultimate] someone@example.com
Changing usage is a simple as this:
$ gpg --homedir /tmp/gpg-change-usage --edit-key someone@example.com
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/4EBF4D26A937DE4C
created: 2019-04-04 expires: 2019-04-05 usage: C
trust: ultimate validity: ultimate
[ultimate] (1). someone@example.com
gpg> change-usage
Changing usage of the primary key.
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? s
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? q
sec rsa4096/4EBF4D26A937DE4C
created: 2019-04-04 expires: 2019-04-05 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). someone@example.com
gpg> save
Notice now that our key gained signing capability.
$ gpg --homedir /tmp/gpg-change-usage -k
/tmp/gpg-change-usage/pubring.kbx
---------------------------------
pub rsa4096 2019-04-04 [SC] [expires: 2019-04-05]
987BE3D9CF90B1C912A165734EBF4D26A937DE4C
uid [ultimate] someone@example.com
That's it!
In order to add a new subkey with specific usages, start gpg2 with the --expert switch. Then the options are
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
Your selection?
Where the last two methods allow toggling each of S, E, A individually. C is only possible for a primary key, the usage of which you can also set with gpg2 --expert --gen-key. I don't know of any way to modify the usage field at a later point however.