From 76d557b0f6e6a5c5b5d80569b749d4db3aabaeef Mon Sep 17 00:00:00 2001
From: drduh <github@duh.to>
Date: Sun, 15 Jun 2025 14:08:13 -0700
Subject: [PATCH] set individual key types default to ed25519 for auth

---
 README.md           |  2 +-
 scripts/generate.sh | 44 ++++++++++++++++++++++++++++++--------------
 2 files changed, 31 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index f46e943..1e8af57 100644
--- a/README.md
+++ b/README.md
@@ -367,7 +367,7 @@ Subkeys must be renewed or rotated using the Certify key - see [Updating keys](#
 Set Subkeys to expire on a planned date:
 
 ```console
-export EXPIRATION=2027-05-01
+export EXPIRATION=2027-07-01
 ```
 
 The expiration date may also be relative, for example set to two years from today:
diff --git a/scripts/generate.sh b/scripts/generate.sh
index 0ec7cbd..a054585 100755
--- a/scripts/generate.sh
+++ b/scripts/generate.sh
@@ -32,12 +32,25 @@ get_id_label () {
     printf "YubiKey User <yubikey@example.domain>"
 }
 
-get_key_type () {
-    # Returns key type and size.
+get_key_type_sign () {
+    # Returns key type for signature subkey.
     #printf "default"
     printf "rsa4096"
 }
 
+get_key_type_enc () {
+    # Returns key type for encryption subkey.
+    #printf "default"
+    printf "rsa4096"
+}
+
+get_key_type_auth () {
+    # Returns key type for authentication subkey.
+    #printf "default"
+    #printf "rsa4096"
+    printf "ed25519"
+}
+
 get_key_expiration () {
     # Returns key expiration date.
     printf "2027-07-01"
@@ -58,10 +71,12 @@ set_temp_dir () {
 set_attrs () {
     # Sets identity and key attributes.
     export IDENTITY="$(get_id_label)"
-    export KEY_TYPE="$(get_key_type)"
+    export KEY_TYPE_SIGN="$(get_key_type_sign)"
+    export KEY_TYPE_ENC="$(get_key_type_enc)"
+    export KEY_TYPE_AUTH="$(get_key_type_auth)"
     export KEY_EXPIRATION="$(get_key_expiration)"
-    printf "set attributes (label='%s', type='%s', expire='%s')\n" \
-        "$IDENTITY" "$KEY_TYPE" "$KEY_EXPIRATION"
+    printf "set attributes (label='%s', sign='%s', enc='%s', auth='%s', expire='%s')\n" \
+        "$IDENTITY" "$KEY_TYPE_SIGN" "$KEY_TYPE_ENC" "$KEY_TYPE_AUTH" "$KEY_EXPIRATION"
 }
 
 get_pass () {
@@ -85,8 +100,7 @@ gen_key_certify () {
     # Generates Certify key with no expiration.
     echo "$CERTIFY_PASS" | \
         gpg --batch --passphrase-fd 0 \
-            --quick-generate-key "$IDENTITY" \
-            "$KEY_TYPE" "cert" "never"
+            --quick-generate-key "$IDENTITY" "$KEY_TYPE_SIGN" "cert" "never"
 }
 
 set_fingerprint () {
@@ -102,13 +116,15 @@ set_fingerprint () {
 
 gen_key_subs () {
     # Generates Subkeys with specified expiration.
-    for SUBKEY in sign encrypt auth ; do \
-        echo "$CERTIFY_PASS" | \
-            gpg --batch --passphrase-fd 0 \
-                --pinentry-mode=loopback \
-                --quick-add-key "$KEY_FP" \
-                "$KEY_TYPE" "$SUBKEY" "$KEY_EXPIRATION"
-    done
+    echo "$CERTIFY_PASS" | \
+        gpg --batch --passphrase-fd 0 --pinentry-mode=loopback \
+            --quick-add-key "$KEY_FP" "$KEY_TYPE_SIGN" sign "$KEY_EXPIRATION"
+    echo "$CERTIFY_PASS" | \
+        gpg --batch --passphrase-fd 0 --pinentry-mode=loopback \
+            --quick-add-key "$KEY_FP" "$KEY_TYPE_ENC" encrypt "$KEY_EXPIRATION"
+    echo "$CERTIFY_PASS" | \
+        gpg --batch --passphrase-fd 0  --pinentry-mode=loopback \
+            --quick-add-key "$KEY_FP" "$KEY_TYPE_AUTH" auth "$KEY_EXPIRATION"
 }
 
 save_secrets () {