How to Create an OpenPGP/GnuPG Key
At the time of writing we recommend that you use a key length of 4096 bits. It is generally agreed that 1024 is too short by now and 2048 is OK. 4096 bits will be good for a bit longer though.
Follow these steps:
Choose some configuration for GnuPG. If you already have some configuration in
$HOME/.gnupg/gpg.conf you may want to review those settings. Otherwise you can generate some reasonable defaults as follows:
mkdir -p $HOME/.gnupg chmod u=rwx,go= $HOME/.gnupg cat > $HOME/.gnupg/gpg.conf << 'EOF' personal-digest-preferences SHA256 cert-digest-algo SHA256 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed keyid-format long keyserver keys.gnupg.net EOF
man gpg to learn about the options.
We recommend to use 16 digit key IDs (the
keyid-format long above). You may also encounter the abbreviated version with just the last 8 digits.
Then generate the actual key:
(1) RSA and RSA (default) as the kind of key and 4096 as the key size. A key without expiry date is convenient (if a bit dangerous if you are the paranoid kind). Give the name and e-mail as you would like them to appear in the key. You may choose a comment (like
private) or leave it empty. Make sure you use a good passphrase (just make it long as in 20 characters or more, e.g. a few words you can remember).
This will generate a new key for you which is identified by an 16 digit key ID (something like
0123456789ABCDEF if you chose the configuration recommended above). Use this key ID below where it says
You should add this key as the default key to you GnuPG configuration:
echo "default-key <KEY-ID>" >> $HOME/.gnupg/gpg.conf
If you want to add more e-mail addresses (e.g., to use the key for both work and private) you can do it like this:
gpg --edit-key <KEY-ID> ... command> adduid
and give the new real name, e-mail, and optionally a comment.
You may add extra names/e-mail at any time later. However, for people to sign your key you will want to have all relevant UIDs already be part of the key. If indeed you add an additional UID later you will need to ask people to sign your key again for the new UID.
Upload to Key Server
Send your key to the key servers (the important ones are connected):
gpg --send-key <KEY-ID>
This will make it more convenient for others to find your key.
Meet other people you want to exchange signed or encrypted messages and continue with how to sign an OpenPGP/GnuPG key
If you get a chance you should attend some key signing parties.
To trust your own key and to encrypt messages (without a trust warning) to other identities you have checked and signed:
gpg --edit-key <KEY-ID> ... gpg> trust Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y gpg> q