Generate Certify Key
====================

.. warning::

  Page a tradire en francais...

.. warning::

   No Internet from now on

Introduction
------------

The primary key to generate is the Certify key, which will be used to issue Subkeys for encryption, signature and authentication operations.

The Certify key should be kept offline at all times and only accessed from a secure environment to revoke or issue Subkeys. Keys can also be generated on the YubiKey itself to avoid duplication, however for usability and durability reasons this guide recommends against doing so.

Generate a passphrase which will be needed throughout the guide to create Subkeys. The passphrase should be memorized or written down in a secure location, ideally separate from the portable storage device used for key material.

The passphrase is recommended to consist of only upper case letters and numbers for improved readability.


The following command will generate strong passphrases while avoiding ambiguous characters:

.. code-block::

   LC_ALL=C tr -dc 'A-Z1-9' < /dev/urandom | \
       tr -d "1IOS5U" | fold -w 30 | head -n10 | \
       sed "-es/./ /"{1..26..5} | cut -c2- | tr " " "-"


Example output:

.. code-block::

   A4ZK-YRRJ-8WPM-82NY-CX9T-AGKT
   PH9Z-HFDX-QDB9-YMMC-GQZB-Z3EV
   EC3H-C42G-8E9K-VF7F-ZWT7-BTL6
   B3CA-QCCE-JMNE-VAZG-ZEYD-J3XP
   YKP4-M42X-4WWE-WEKR-C3J7-GZYF
   ZQWC-E7MN-M7CT-4Y4Z-9QFV-44VY
   KY4F-C83Q-BTYQ-V8EM-WGCR-DPZN
   GYWQ-WNAC-ERWM-XGAD-6XVD-ZCLD
   L8JL-EK8H-Z4ZF-MA93-NND8-FPKA
   WM2J-XF7L-QV6D-AWLY-Y2D8-4TQQ