Generate an OpenPGP Key Pair using GnuPG

GNU Privacy Guard

This article explains how to generate an OpenPGP key pair using GNU Privacy Guard (GPG). For an introduction to email encryption, first reading the referenced articles listed below.


Step 1: Install the GnuPG package

For Linux operating systems that use the Apt package manager (I use Debian), enter the following into your terminal. Otherwise install GnuPG binary based on your operating system at the GnuPG download webpage.

$ sudo apt update
$ sudo apt install gnupg

Step 2: Generate the key pair

$ gpg --gen-key

The following text-based menu will appear in the terminal:

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)

Select the type of key you want. RSA and RSA is the recommended type. (sign only) keys cannot be used for encryption. Next, enter the key size you want. I entered 4096.

What keysize do you want? (2048)

Then enter the length of time that you would like the key valid for and then press y to confirm the expiration date. If you select 0, the key does not expire and will require to be revoked when you no longer wish to use it.

Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)

Next, enter your name, email address, and optional comment. Your name and email address can be anything you want, not necessarily your real name or email address. To use your OpenPGP key for encrypting email, put the email address you want to use with encryption in the “Email address” prompt.

You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter)"
Real name: John Q. Alias
Email address: the-email-youre-going-to-use@whatever.tld

Now enter a strong password that you can remember. If you forget this password, it cannot be recovered and any encrypted data you have using it, including emails, will be permanently inaccessible. Press ENTER when complete to begin generating the key. Upon completion, you’ll see the message:

Your OpenPGP public/private key pair has been generated!

Step 3: List your keys

Use the following command to list your keys

$ gpg --list-secret-keys

This should output data in a format like this:

sec   4096R/0xE361D8GH916EFH89 2014-05-14 [expires: 2016-05-14]
      Key fingerprint = 1234 5678 90AB CDEF GH01  2344 5678 9012 ABCE FGH1
uid                            John Q. Alias <the-email-youre-going-to-use@wherever.tld>
ssb   4096R/0x40339E25E2F2D99E 2014-05-14

Any reference to your KEY-ID below can be found using the first command and looking at the output. The line you’re looking at to find the KEY-ID is the sec line of each of the entries). The line contains sec, the key strength and type abbreviation (4096R in the first line), a slash, the KEY-ID, and then the creation date. The codebox below highlights the KEY-ID:

sec   4096R/0xE361D8GH916EFH89 2014-05-14 [expires: 2016-05-14]
      Key fingerprint = 1234 5678 90AB CDEF GH01  2344 5678 9012 ABCE FGH1
uid                            John Q. Alias <the-email-youre-going-to-use@wherever.tld>
ssb   4096R/0x40339E25E2F2D99E 2014-05-14

So for this example, the KEY-ID would be E361D8GH916EFH89. However, you should not rely on the keyid! Instead, you should use your full fingerprint for all operations.

Step 4: Export your public OpenPGP key

Create an ASCII armored version of your public key for exporting by typing:

$ gpg --export -a [fingerprint] > mykey.asc

You’ve just exported your ASCII armored OpenPGP public key to the file mykey.asc in the folder you were in (your home directory, if you opened a new terminal). Now you can send the key to whomever you want to be able to encrypt files to you.

1 thought on “Generate an OpenPGP Key Pair using GnuPG”

  1. Pingback: Encrypt email in Thunderbird with OpenPGP – Maddy Ice

Leave a Comment

Your email address will not be published. Required fields are marked *