Recipe 7.6 Setting Up GnuPG for Public-Key Encryption

7.6.1 Problem

You want to start using GnuPG for more sophisticated operations, such as encrypting and signing files for other parties to decrypt.

7.6.2 Solution

Generate a GnuPG keypair:

$ gpg --gen-key

then set a default key if you like [Recipe 7.8] and you're ready to use public-key encryption.

We strongly recommend you also create a revocation certificate at this time, in case you ever lose the key and need to tell the world to stop using it. [Recipe 7.22]

7.6.3 Discussion

Public-key encryption lets you encrypt a file that only a designated recipient can decrypt, without sharing any secrets like an encryption password. This recipe discusses just the initial setup.

First you need to generate your very own GnuPG keypair, which consists of a secret (private) key and a public key. This is accomplished by:

$ gpg --gen-key

You'll be asked various questions, such as the key size in bits, key expiration date if any, an ID for the key, and a passphrase to protect the key from snoopers.

First you'll be asked to choose the type of key. For most purposes simply choose the default by pressing RETURN:

Please select what kind of key you want:
        (1) DSA and ElGamal (default)
        (2) DSA (sign only)
        (4) ElGamal (sign and encrypt)
Your selection? <return>

Next, choose how many bits long the key should be. Longer keys are less like to be cracked. They also slow down encryption and decryption performance, but on a fast processor you aren't likely to notice. Choose at least 1024 bits.

DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
                minimum keysize is  768 bits
                default keysize is 1024 bits
        highest suggested keysize is 2048 bits
What keysize do you want? (1024) 2048

Next specify when the key should expire. For average use, a permanent key is best:

Please specify how long the key should be valid.
        0 = key does not expire
        <n> = key expires in n days
        <n>w = key expires in n weeks
        <n>m = key expires in n months
        <n>y = key expires in n years
Key is valid for? (0) <return>

Key does not expire at all
Is this correct (y/n)? y

But if your key should expire, choose a lifetime and you'll see:

Key expires at Fri 19 Apr 2002 08:32:24 PM EDT
Is this correct (y/n)?

Next, choose a unique identifier for your key. gpg constructs an ID by combining your name, email address, and a comment.

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <>"

Real name: Shawn Smith
Email address:
Comment: My work key
You selected this USER-ID:
    "Shawn Smith (My work key) <>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

Next, choose a secret passphrase. Your key will be stored encrypted, and only this passphrase can unlock it for use.

You need a Passphrase to protect your secret key.
Enter passphrase: ******
Repeat passphrase: ******

Eventually, you will see:

public and secret key created and signed.

which means your key is ready for use. Now you can encrypt [Recipe 7.11], decrypt [Recipe 7.5], sign [Recipe 7.12], and verify [Recipe 7.15] files by public-key encryption.

7.6.4 See Also


    Chapter 9. Testing and Monitoring