GNU Privacy Guard

More Information

• The GNU Privacy Guard Home
• Big Lumber Links
• Pathfinder

Create a key pair

If this is your first execution of gpg, it may ask you to re-run it ...

gpg --gen-key

• Select #1, DSA and ElGamal
• Select keysize of 2048
• Select an expiration (maybe 10 years?)
• Enter your Full Name
• Enter your Primary (long term) email address
• Enter a "Comment" (can be "role", or "nickname" etc ... or blank)
• Check the resulting USER-ID (carefully!) and OK if it is correct.
• Select a passphrase. It is highly recommended that this passphrase not be omitted and be difficult to guess.

Move the mouse and such to help the entropy source.

Note the keyid of the master key, it is the 8 character hex string on the line begining with "pub" and is found right after the '/' character.

Create a revocation cert

It is generally a good idea to create a revocation certificate. It can be used in the future to revoke your key if you feel it has been compromised:

gpg --output revoke.asc --gen-revoke USER-ID

Store the revocation cert is a safe place. Also, you may want to print it out and store it somewhere safe in case of media failure.

Add userids to your key pair

You can bind as many userid's as you like to a key. Each email address that you might want to use to send (or receive) authenticated email from (at) should be added as a seperate userid.

Substitute the "keyid" for your key for "KEYID" in the next command:

gpg --edit-key KEYID

• At the "Command>" prompt type "adduid"
• Supply the Name, Email and Comment fields as before.
• Repeat these steps for all uid's you wish to add.
• Type "save" to save and exit the key editor.

Submit your key to the keyserver

Replace KEYID with the keyid of your key:

gpg --send-key KEYID

Signing another person's key

IMPORTANT! Make absolutely sure that the key you are signing actually belongs to the person it identifies!

Signing a key where you have not verified the identity could help an imposter "steal" that identity.

A good practice here is to have the person who owns the key verify the fingerprint and present photo identification in person.

Once you have established that the key is owned by the person that the key identifies you sign their public key.

First, fetch their public key from a keyserver, if you don't already have it on your ring:

gpg --recv-key KEYID-OR-FINGERPRINT

Next, edit the key and add the signature:

gpg --edit-key KEYID-OR-FINGERPRINT

• At the "Command>" prompt type "sign".
• Answer the questions with appropriate answers.
• At the "Command>" prompt type "save".

Update the trust database:

gpg --update-trustdb

• Answer the questions with appropriate answers

Resubmit the signed key back to the keyserver:

gpg --send-key KEYID-OR-FINGERPRINT

Export a key in ascii, for transmission or publication

gpg --export --armor KEYID