A Practical Guide to GPG Part 1: Generate Your Public/Private Key Pair (2024)

This tutorial series will teach you how to use GPG (Gnu Privacy Guard) in the Linux terminal, so you will be able to send encrypted email messages and digitally sign documents.

What is GPG?

GPG (GNU privacy guard) is an open-source implementation of the OpenPGP protocol. It’s a free alternative to the PGP program. Then what is PGP? PGP (Pretty Good Privacy) is an encryption program developed in 1991 by Phil Zimmermann.

PGP and GPG are commonly used for two things.

  • Encryption: encrypt emails and files like Edward Snowden does every day, so bad actors can’t read your encrypted emails and files.
  • Signing: create digital signatures for signing documents. You can also use it to digitally sign all your outgoing emails, so the recipient can know the email hasn’t been tampered with. The software repository of your Linux distribution is also signed by a PGP key, so you can be sure that you are not downloading malware when running commmand sudo apt update or sudo dnf update.

PGP and GPG are sometimes interchangeable. You can say you have a PGP key or a GPG key.

A Practical Guide to GPG Part 1: Generate Your Public/Private Key Pair (1)

Encryption at rest

If you run your own email server, you should know that a TLS certificate can be used to encrypt email traffic between SMTP servers, then why use GPG?

  • A TLS certificate is used to encrypt email traffic in transit. Hackers can’t snoop on your email traffic and extract valuable information.
  • GPG is used to encrypt emails at rest. If someone gains access to your computer, your emails are still safe, because only you have the passphrase to decrypt the email messages.

End-to-End Encryption

An email server admin can configure the server to encrypt all email messages at rest for users. This is a form of centralized encryption. Perhaps the email server admin has the private key and can decrypt all email messages. You can’t be sure that they can’t decrypt your emails.

In contrast, GPG uses end-to-end encryption, meaning the encryption is done on the user’s computer before sending it out to the recipient. The private key is stored on the user’s computer, so the email server admin can’t decrypt the email message.

Hint: It’s not required to run your own email server. You can use GPG with Gmail, Yahoo Mail, or any email account.

6 Parts Tutorial Series

The tutorial series is divided into 6 parts:

  • Part 1: Generate Your Public/Private Keypair
  • Part 2: Public Key Management
  • Part 3: Encrypt and Decrypt Message
  • Part 4: How to encrypt and decrypt emails in the Thunderbird email client
  • Part 5: Digital Signature
  • Part 6: How to Verify PGP Signature of Downloaded Software on Linux

This is part 1 of this series. At the end of this article, you should be able to generate your own public/private key pair and a revocation certificate, which is used to revoke your public/private key pair when your private key is compromised or you forget the passphrase for your private key.

Step 1: Install GPG

GPG is pre-installed on most Linux distributions, though you can run the following commands to install it.

  • Debian/Ubuntu: sudo apt install gpg
  • Fedora/CentOS/RHEL/Rocky Linux: sudo dnf install gpg
  • Arch Linux: sudo pacman -S gpg
  • OpenSUSE: sudo zypper install gpg

This article uses the modern GPG 2.2 / 2.3 version. The legacy version (1.x) won’t be discussed. Most Linux distributions come with the modern 2.2 / 2.3 version.

  • macOS users can use the gpgtools to install GPG.
  • Windows users can install the GPG4win package. (You really shouldn’t be using Windows if you care about privacy.)

Step 2: Check Your GPG Version

Let’s check the GPG version on the system and some interesting tidbits. Run the following command.

gpg --version

A Practical Guide to GPG Part 1: Generate Your Public/Private Key Pair (2)
As you can see, I’m using GPG 2.2.27. We also know that the configuration directory is ~/.gnupg, which will hold our public/private key files. It also tells us what algorithms are supported.

If you look closely, you can see that the insecure hash algorithm SHA1 is still supported in version 2.2.27 SHA1 is obsolete and you don’t want to use it to generate digital signatures.

Step 3: Create Your Public/Private Key Pair and Revocation Certificate

Run the following command to generate your key pair. GPG defaults to RSA keys. We use the --expert mode because it allows us to create more secure keys (ed25519).

gpg --expert --full-gen-key

Hint: If you generate GPG key on the console or in a pure command-line environment, you should run this command instead: gpg --expert --pinentry-mode=loopback --full-gen-key.

It asks you what kind of key you want. there’re 14 options. Choose the 9th option, so it will create an ECC (Elliptic curve cryptography) public/private keypair and an ECC signing key.

A Practical Guide to GPG Part 1: Generate Your Public/Private Key Pair (3)

Then it asks you which elliptic curve you want. Choose the first option to create ed25519 keys.

A Practical Guide to GPG Part 1: Generate Your Public/Private Key Pair (4)

Next, choose how long the key should be valid. 2 years is fine. You can always extend the time when it’s about to expire. Then it asks you if it’s correct. Notice that the default is No, press y then Enter to confirm it’s correct.

A Practical Guide to GPG Part 1: Generate Your Public/Private Key Pair (5)
Now we need to provide some user identification information for the key. This is important because this information will be included in our key. It’s one way of indicating who is the owner of this key. The email address is a unique identifier for a person. You can leave the Comments field blank. Actually, you should never enter anything in the Comment field.

A Practical Guide to GPG Part 1: Generate Your Public/Private Key Pair (6)

After that, it asks you to enter a passphrase to protect your private key. Enter a good and long passphrase and remember it. If you forget this passphrase, you won’t be able to unlock your private key.

A Practical Guide to GPG Part 1: Generate Your Public/Private Key Pair (7)

Once you enter and confirm your passphrase. GPG will generate your keys in a jiffy.

A Practical Guide to GPG Part 1: Generate Your Public/Private Key Pair (8)

We can see from the above screenshot that GPG created a unique identifier for the public key (752E173A3F8B04F5). This unique identifier is in hex format. When someone wants to download your public key, they can use your email address or this hex value as a unique identifier.

GPG also created a revocation certificate.

Your private key is stored under the ~/.gnupg/private-keys-v1.d/ directory. There are two files with the .key extension. You should never share your private key with anyone.If your private key is compromised, you can use the revocation certificate to revoke your public key, which means you tell the rest of the world that this public key shall not be used anymore.I suggest that you open this revocation certificate with your text editor to see what’s inside there.

The public key ID (752E173A3F8B04F5) matches the last 16 bits of the key fingerprint. The key fingerprint is a hash of your public key.

Step 4: Export Your Public Key

Other people need your public key to send an encrypted message to you and only your private key can decrypt it. Use the following command to export your public key. The --armor option means that the output is ASCII armored. The default is to create the binary OpenPGP format.user-id is your email address.

gpg --armor --export user-id > pubkey.asc

The exported public key is written to pubkey.asc file. Give this file to anyone who wants to send an encrypted message to you.

Step 5: Export Your Private Key

Issue the following command to export your private key.

gpg --export-secret-keys --armor user-id > privkey.asc

The exported key is written to privkey.asc file.

Step 6: Protect Your Private Key and Revocation Certificate

Your private key should be kept in a safe place, like an encrypted flash drive. Treat it like your house key. Never share it with others. And you must remember your passphrase, otherwise, you can’t unlock your private key.

You should also protect your revocation certificate. If others have your revocation certificate, they can immediately revoke your public/private key pair and generate a fake public/private key pair.

Next Step

In part 2 you will learn how to upload your public key to a key server, so others can import your public key and send you encrypted messages. Take care!

  • A Practical Guide to GPG Part 2: Public Key Management

Rate this tutorial

[Total: 33 Average: 4.9]

A Practical Guide to GPG Part 1: Generate Your Public/Private Key Pair (2024)


How do I create a public private key pair from GPG? ›

How to Generate a Public-Private Key Pair
  1. A desktop application, for example: Mac OS: GPG Suite. Windows: GPG4Win (EXE)
  2. The gpg command line utility: Generate a new keypair: gpg --full-generate-key --openpgp. Copy. Export the keypair to a file (use the same email address that you used for generating the key pair):

How do I create a GPG key pair? ›

Generating a GPG key
  1. Download and install the GPG command line tools for your operating system. ...
  2. Open Terminal .
  3. Generate a GPG key pair. ...
  4. At the prompt, specify the kind of key you want, or press Enter to accept the default.
  5. At the prompt, specify the key size you want, or press Enter to accept the default.

How to generate PGP private key from public key? ›

To create a key pair using PGP Command Line follow these steps:
  1. Open a command shell or DOS prompt.
  2. On the command line, enter: pgp --gen-key [user ID] --key-type [key type] --bits [bits #] --passphrase [passphrase] ...
  3. Press "Enter" when the command is complete. ...
  4. PGP Command line will now generate your keypair.
Jul 27, 2023

What GPG command is used to generate the public key and private key? ›

You can use the “GPG” command for generating your public and private PGP key pair. This write-up demonstrated how to generate PGP keys with the GPG “–gen-key”, “–full-gen-key”, and the “–quick-gen-key” options.

Which command creates a public private key pair? ›

The simplest way to generate a key pair is to run ssh-keygen without arguments. In this case, it will prompt for the file in which to store keys.

How do I create a public and private key from a certificate? ›

OpenSSL: Create a public/private key file pair [top]
  1. You will need to have OpenSSL installed.
  2. Create a new directory on your C drive and give it an appropriate name (i.e., Test).
  3. Open a Command Prompt window and go to the new directory. ...
  4. Type the path of the OpenSSL install directory, followed by the RSA key algorithm.

What is the difference between SSH key and GPG key? ›

Generating a GPG signing key is more involved than generating an SSH key, but GPG has features that SSH does not. A GPG key can expire or be revoked when no longer used. GitHub shows commits that were signed with such a key as "Verified" unless the key was marked as compromised. SSH keys don't have this capability.

What is the public key in GPG PGP? ›

PGP needs two keys – i.e. a public key and a private key. The public key is used for encrypting data, while the private key is used for decrypting it. To use PGP, you must first generate two keys and store them in a secure location. GPG also requires two keys - the primary key pair and an additional sub-key pair.

How do I find my public GPG key? ›

Open Terminal . Use the gpg --list-secret-keys --keyid-format=long command to list the long form of the GPG keys for which you have both a public and private key. A private key is required for signing commits or tags.

Is GPG and PGP the same? ›

How to Decide Between Using PGP or GPG. At first glance, there is not a great deal of difference. Functionally, each format is virtually identical. However, while PGP is a proprietary solution owned by Symantec, GPG is an open-source encryption standard.

How to generate private public key PEM? ›

Generate SSH Keys in PEM Format to Connect to a Public or On-Premises sFTP Server
  1. Verify the key by opening the file in Notepad. The key must start with the following phrase. ...
  2. Use -m PEM with ssh-keygen to generate private keys in PEM format: Copy ssh-keygen -t rsa -m PEM.

Can we generate private key from public key? ›

No, because of how key generation works. A private key is either generated alongside a public key or the public key is derived from the private key using a trapdoor function (this depends on the cryptographic primitive being used). What is the use of public key and private key?

How to generate PGP key pair in Linux? ›

How to Generate PGP Keys
  1. Initialize the GPG Directory. > gpg --gen-key. gpg (GnuPG) 1.0. ...
  2. Generate a Private Key. > gpg --gen-key. ...
  3. Generate and print a copy of your public key ID and fingerprint >gpg --fingerprint. An an example of the fingerprint output, here is the output of the NMLUG Keymaster's fingerprint:

How to generate private key from ssh? ›

Open a terminal and use the ssh-keygen command with the -C flag to create a new SSH key pair. Replace the following: KEY_FILENAME : the name for your SSH key file. For example, a filename of my-ssh-key generates a private key file named my-ssh-key and a public key file named my-ssh-key.

How do I generate a public private ed25519 key pair? ›

You can generate keys with the 'ssh-keygen' command: $ ssh-keygen -t ed25519 Generating public/private ed25519 key pair. Enter file in which to save the key ($HOME/. ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in $HOME/.

How to generate public private key pair for sFTP? ›

Generate your public/private key pair

Start PuTTYgen, and choose a type of key to generate and keysize. If you are unsure what to choose, just copy the settings shown below. Click the Generate button. PuTTYgen will then ask you to wiggle your mouse around for a while to help it generate the key.

What is a public private key pair? ›

Public key cryptography is a method of encrypting or signing data with two different keys and making one of the keys, the public key, available for anyone to use. The other key is known as the private key. Data encrypted with the public key can only be decrypted with the private key.

How to generate public private key pair using keytool? ›

9.3. Create a Private/Public Key Pair with Keytool
  1. Run the keytool -genkey -alias ALIAS -keyalg ALGORITHM -validity DAYS -keystore server.keystore -storetype TYPE command: ...
  2. If the specified keystore already exists, enter the existing password for that keystore, otherwise enter a new password:

Top Articles
Latest Posts
Article information

Author: Zonia Mosciski DO

Last Updated:

Views: 5741

Rating: 4 / 5 (51 voted)

Reviews: 82% of readers found this page helpful

Author information

Name: Zonia Mosciski DO

Birthday: 1996-05-16

Address: Suite 228 919 Deana Ford, Lake Meridithberg, NE 60017-4257

Phone: +2613987384138

Job: Chief Retail Officer

Hobby: Tai chi, Dowsing, Poi, Letterboxing, Watching movies, Video gaming, Singing

Introduction: My name is Zonia Mosciski DO, I am a enchanting, joyous, lovely, successful, hilarious, tender, outstanding person who loves writing and wants to share my knowledge and understanding with you.