How to Create an OpenPGP/GnuPG Key

Note: OpenPGP is the name of the standard and GnuPG (command line name gpg) is the name of the free implementation most people use.

At the time of writing we recommend that you use a key length of 4096 bits. It is generally agreed that 1024 is too short by now and 2048 is OK. 4096 bits will be good for a bit longer though.

Follow these steps:

GnuPG Configuration

Choose some configuration for GnuPG. If you already have some configuration in $HOME/.gnupg/gpg.conf you may want to review those settings. Otherwise you can generate some reasonable defaults as follows:

mkdir -p $HOME/.gnupg
chmod u=rwx,go= $HOME/.gnupg

cat > $HOME/.gnupg/gpg.conf << 'EOF'
personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed
keyid-format long
keyserver keys.gnupg.net
EOF

Read man gpg to learn about the options.

We recommend to use 16 digit key IDs (the keyid-format long above). You may also encounter the abbreviated version with just the last 8 digits.

Key Generation

Then generate the actual key:

gpg --gen-key

choose (1) RSA and RSA (default) as the kind of key and 4096 as the key size. A key without expiry date is convenient (if a bit dangerous if you are the paranoid kind). Give the name and e-mail as you would like them to appear in the key. You may choose a comment (like work or private) or leave it empty. Make sure you use a good passphrase (just make it long as in 20 characters or more, e.g. a few words you can remember).

This will generate a new key for you which is identified by an 16 digit key ID (something like 0123456789ABCDEF if you chose the configuration recommended above). Use this key ID below where it says .

You should add this key as the default key to you GnuPG configuration:

echo "default-key <KEY-ID>" >> $HOME/.gnupg/gpg.conf

Additional Names/Addresses

If you want to add more e-mail addresses (e.g., to use the key for both work and private) you can do it like this:

gpg --edit-key <KEY-ID>
...
command> adduid

and give the new real name, e-mail, and optionally a comment.

You may add extra names/e-mail at any time later. However, for people to sign your key you will want to have all relevant UIDs already be part of the key. If indeed you add an additional UID later you will need to ask people to sign your key again for the new UID.

Upload to Key Server

Send your key to the key servers (the important ones are connected):

gpg --send-key <KEY-ID>

This will make it more convenient for others to find your key.

Collect Signatures

Meet other people you want to exchange signed or encrypted messages and continue with how to sign an OpenPGP/GnuPG key

If you get a chance you should attend some key signing parties.

Trust

To trust your own key and to encrypt messages (without a trust warning) to other identities you have checked and signed:

gpg --edit-key <KEY-ID>
...
gpg> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y

gpg> q