Generating PGP Keys

This article will guide you through the process of generating public and private keys for encrypting emails. This is for people using command line (unix) mail readers such as Mutt as well as those who use Linux workstations.

How to Generate PGP Keys

Run the following commands on your local workstation:

Note: You will have to run the same command to initialize the directory (step 1) and to generate the key (step 2).

  1. Initialize the GPG Directory

    > gpg --gen-key

    gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc.
    This program comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it
    under certain conditions. See the file COPYING for details.
    gpg: /home/keymaster/.gnupg: directory created
    gpg: /home/keymaster/.gnupg/options: new options file created
    gpg: you have to start GnuPG again, so it can read the new options file

  2. Generate a Private Key

    > gpg --gen-key

    gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc.
    This program comes with ABSOLUTELY NO WARRANTY.
    This is free software, and you are welcome to redistribute it
    under certain conditions. See the file COPYING for details.
    gpg: /home/keymaster/.gnupg/secring.gpg: keyring created
    gpg: /home/keymaster/.gnupg/pubring.gpg: keyring created
    Please select what kind of key you want:
    (1) DSA and ElGamal? (default)
    (2) DSA (sign only)
    (4) ElGamal? (sign and encrypt)
    Your selection? 1
    DSA keypair will have 1024 bits.
    About to generate a new ELG-E keypair.
    minimum keysize is 768 bits
    default keysize is 1024 bits
    highest suggested keysize is 2048 bits
    What keysize do you want? (1024) 4096

    you really need such a large keysize? y
    Requested keysize is 4096 bits
    Please specify how long the key should be valid.
    0 = key does not expire
    = key expires in n days
    w = key expires in n weeks
    m = key expires in n months
    y = key expires in n years
    Key is valid for? (0) 0
    Key does not expire at all
    Is this correct (y/n)? y

    You need a User-ID to identify your key; the software constructs the user id
    from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "
    Real name: Your Real Name
    Email address: youremail@foo.upenn.edu
    You selected this USER-ID:
    "Your Real Name"
    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
    You need a Passphrase to protect your secret key.
    Enter passphrase: pickapassphrase
    Repeat passphrase: pickapassphrase
    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.
    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++. ...
    you may see
    ...
    Not enough random bytes available. Please do some other work to give
    the OS a chance to collect more entropy! (Need 290 more bytes)
    We need to generate a lot of random bytes. It is a good idea to perform
    some other action (type on the keyboard, move the mouse, utilize the
    disks) during the prime generation; this gives the random number
    generator a better chance to gain enough entropy.
    +++++++++++++++.+++++++++++++++.+++++++++++++++++++++++++. public and secret key created and signed.

  3. Generate and print a copy of your public key ID and fingerprint

    >gpg --fingerprint

    An an example of the fingerprint output, here is the output of the NMLUG Keymaster's fingerprint:

    pub 1024D/14931423 2003-02-13 New Mexico Linux User Group Keymaster
    Key fingerprint = 724D 2514 93EC 83D4 E5BC D534 C5BC C12C 1493 1423
    sub 2048g/42685AC7 2003-02-13

Store your PGP passphrase in a secure place, such as a password manager (LastPass Premium is available for free to members of the Penn Community). The PGP system has no means to reset your password if you forget it. If you forget your passphrase, you will need to create a new key, send it out to everyone, and tell them to use the new one rather than the old one.

Mutt

If you use mutt to read your email, you may need to add this line to your .muttrc file:

source /usr/local/doc/mutt/samples/gpg.rc
© Computing and Educational Technology Services