Generate a keyfile locally

To generate issuer keyfiles, you can either use our generate page or on your own computer. This page explains how to generate keyfiles on your own computer.

Step 1: Install GnuPG

Keyfiles are nothing more than a OpenPGP public/private keypair in a text file, so all you need to generate a keyfile locally is GnuPG .

• Windows: Install Gpg4win
• Mac: brew install gnupg
• Debian/Ubuntu: sudo apt-get install gnupg (should already be installed)

Step 2: Generate a keypair

Once you have GnuPG installed, you need to generate an elliptic curve keypair.

gpg --expert --full-gen-key
# select "ECC (sign only)"
# select "Curve 25519" or "NIST P-256"
# select 0 (key does not expire)
# select y (for "is this correct?")
# for Real Name, type your issuer name
# for Email address, leave blank (just press Enter)
# for Comment, leave blank (just press Enter)
# select O (for Okay)
# set an encryption password for your new keypair
# done!

Step 3: Find your keypair fingerprint

Once you have generated your keypair, find the fingerprint for it by listing your secret keys.

gpg --list-secret-keys

Will print something like:

/path/to/pubring.kbx
--------------------------------------
sec   ed25519 2021-04-12 [SC]
      68632A32FFDB8EB9ED589CDEF246AA78FD1EFDB1    <--- this is your fingerprint
uid           [ultimate] Test Issuer              <--- make sure this matches your issuer name

Step 4: Print out your keypair

You now need to print out the public and private keys.

gpg --export --armor YOUR_FINGERPRINT_HERE

Will print something like:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEYFimDh... (long string of base 64 characters)
-----END PGP PUBLIC KEY BLOCK-----

Also print out your private key:

gpg --export-secret-key --armor YOUR_FINGERPRINT_HERE

Will print something like:

-----BEGIN PGP PRIVATE KEY BLOCK-----

lFgEYHO9oh... (long string of base 64 characters)
-----END PGP PRIVATE KEY BLOCK-----

Step 5: Copy your public and private keys to a single text file

Open a text editor and copy/paste the public and private keys you printed out in Step 4 into that text file.

Your text file should look something like this:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEYFimDh... (long string of base 64 characters)
-----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP PRIVATE KEY BLOCK-----

lFgEYHO9oh... (long string of base 64 characters)
-----END PGP PRIVATE KEY BLOCK-----

Save your text file as keyfile.asc.

Step 6: Done!

Congratulations! You've just created a keyfile on your local computer.

Remember: KEEP YOUR KEYFILE SAFE
Anyone with your keyfile can issue QR codes as you, and if it gets compromised your only option is to revoke all your previously issued QR codes to prevent someone from issuing fake QR codes in your name.

Next: Issue a QR code on your local computer

You can also issue QR codes using your keyfile in our online interface.

You can also register as an issuer with your keyfile.

Have questions? Email support@vax.codes for assistance.