22 Sep 2021 [guides]

Generating full GPG keypairs

Motivation

Keypairs (public key + private key) essentially act as identities. Having your own keypair enables you to digitally sign, encrypt and decrypt files and messages.

Assumptions

Create new keypair

In your terminal:

Follow the prompts:

  1. (1) RSA AND RSA (type of key)
  2. 4096 (keysize in bits)
  3. 2y (expiry date)
  4. y (confirmation)

Choose whatever you want, but I suggest you get a 4096-bit RSA/RSA key.

You can skip Comment field and enter an email address to be associated with your keypair.

Enter a strong passphrase to protect your secret key. This is important, do not skip this step. In case someone steals your secret key, this passphrase is the only thing that protects that file. Securely store the passphrase.

After a few seconds (sometimes 1-2 minutes), the keypair should be generated.

GPG should’ve also created a revocation certificate for this keypair:

gpg: revocation certificate stored as ‘/home/user/.gnupg/openpgp-revocs.d/01234567890.rev’

You will need that certificate to tell others to ignore the keypair, if it ever gets lost or compromised. It might be a good idea to store that separately.

Export public key

Find your key’s ID, fingerprint or email address. You can use any of those to specify from which keypair to export.

I will use my email as an example:

Note: use your own email, key id or fingerprint; and feel free to change the file name above.

That’s all. Now share your public key file with anyone you wish to communicate with.

Keep safe:

Going deeper

There are other things you can do for extra security but the complexity grows with each step. Maybe I will touch on some of those topics in future guides.

I suggest you take a look at subkeys2 or explore my cleartext digital signatures guide3.


  1. https://www.gnupg.org/download/ 

  2. https://wiki.debian.org/Subkeys 

  3. /gpg-cleartext-signatures