Unattended GnuPG Key Generation for ECC

Solution 1:

I'm a Fedora user, but hear me out Ubuntu fans. I was struggling with the same problem, so here's my solution that works for Fedora 25 with GnuPG 2.1.13, and surely under Ubuntu. It's a modification of Thomas' answer. Set the Key-Type and Subkey-Type as follows (I'm using nistp256 but use whatever curve your system supports):

Key-Type: ECDSA
Key-Curve: nistp256
Key-Length: 256
Subkey-Type: ECDH
Subkey-Curve: nistp256
Subkey-Length: 256

If you use ECC as key-type and subkey-type, gpg will generate errors like this, and the public key will be ECDH, not ECDSA.

gpg: error reading rest of packet: Invalid argument
gpg: error reading rest of packet: Invalid argument
gpg: can't encode a 256 bit MD into a 72 bits frame, algo=8
gpg: can't encode a 256 bit MD into a 72 bits frame, algo=8

Also, note that in GnuPG v2.1 and later, the options %pubring and %secring are ignored (https://www.gnupg.org/documentation/manuals/gnupg/Unattended-GPG-key-generation.html) so don't use them.

And finally, check this out https://www.gnupg.org/faq/whats-new-in-2.1.html#ecc it's a good read about which curves to use. In fact, for me, v2.1.13 is only listing the following, during the manual command:

$ gpg2 --expert --full-gen-key
...
(3) NIST P-256
(4) NIST P-384
(5) NIST P-521