The following assumes "gpg" is in your $PATH. If you're using a unix of some sort and have GnuPG installed, this is almost definitely the case. In windows, you either need to add it to your path, or instead of "gpg" type "C:\Program Files\GnuPG\gpg.exe" (you'll need quotes since it has a space in it).
Using the gpg utility, create your key.
$ gpg --gen-key gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?
Select 1, and you'll see:
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048)
You should type "4096" here.
Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0)
If this is your first key, I'd recommend choosing 1 year for your expiration date. This way lost passphrases, forgotten keys, etc. all get expired. However, if you use PGP regularly, having a key that doesn't expire isn't unreasonable as long as you generate a revocation cert you store somewhere separately! So pick 1 year:
Key expires at Tue Sep 10 13:48:16 2014 PDT Is this correct? (y/N)
y, and then:
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <email@example.com>" Real name:
It will ask for your name (you know that one, right?), and your email (again, not something I can help you with), and a "comment." I always leave the comment blank as I don't find it useful and it makes the key ID very long. If you'd like, you can use this field to differentiate different keys - i.e. your work key and your personal key. Anyway, when you've filled in that info, you'll see:
You selected this USER-ID: "Foo Bar <firstname.lastname@example.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?
If you made a mistake you can choose one of the options to fix it, otherwise choose
Okay, and it will ask you to generate some randomness by typing random keys and moving the mouse around. You should do this. It may seem silly, but cryptography requires good entropy (a.k.a. randomness).
When generating a key it's prudent to also create a revocation certificate which you store in a safe place. The revocation certificate will allow you to revoke a key that you lose (thus the certificate should be stored separately from the key), gets compromised, or you forget the passphrase to. To do this:
$ gpg --output revcert.asc --gen-revoke email@example.com sec 4096R/BEEFF00D 2013-09-05 Foo Bar <firstname.lastname@example.org> Create a revocation certificate for this key? (y/N)
y and you will be asked to provide a reason.
Please select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel (Probably you want to select 1 here) Your decision?
Since this is a pre-generated revocation certificate, you probably want to select
0 for "No reason specified" and it will let you provide extra information. Should you have access to the key and want to revoke this key later, you can always generate another revocation certificate. Enter in a description at the prompt, and end with an extra empty line:
Enter an optional description; end it with an empty line: >
You will be given one final chance to bail out:
Reason for revocation: No reason specified test Is this okay? (y/N)
GnuPG will then ask for your passphrase:
You need a passphrase to unlock the secret key for user: "Foo Bar <email@example.com>" 4096-bit RSA key, ID BEEFF00D, created 2013-09-05 Enter passphrase:
And some final information about your revocation certificate will be printed.
ASCII armored output forced. Revocation certificate created. Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable. But have some caution: The print system of your machine might store the data and make it available to others!
Your revocation certificate is now in
revcert.asc, put it some place safe!
In your GnuPG configuration file (
~/.gnupg/gpg.conf in unix-like OS's, or in
%home%\Application Data\GnuPG\gpg.conf for Windows, I think), look for the
keyserver line, comment out (put a pound sign in front of it), the one there and add
keyserver x-hkp://pgp.mit.edu. Currently GnuPG only supports one at a time, and pgp.mit.edu is what most people I know have standardized on.
Go into the interactive
edit-key menu for your key:
$ gpg --edit-key firstname.lastname@example.org gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. Secret key is available. pub 4096R/BEEFF00D created: 2013-09-05 expires: 2014-09-05 usage: CS trust: unknown validity: unknown sub 4096R/DEADBEEF created: 2013-09-05 expires: 2014-09-05 usage: E [ unknown] (1). Foo Bar <email@example.com> Command>
Type in the command
trust and it will prompt you:
Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu
Because this is your key (and you should verify that it is your key by ensuring it's your name and email above), you should choose
ultimate. You shouldn't trust anyone else's key ultimately. In fact, setting explicit trust like this is rarely done for keys other than your own. See the page on PGP trust for more info.
Anyway, after you type
5 and answer
y to confirm, you'll be back at the
command> prompt and you can type
quit to exit.
$ gpg --send-key KEYID
Replacing KEYID with your keyid. You can find your keyid with
gpg --fingerprint firstname.lastname@example.org and taking the number after 4096R/. You now have a key - people can send you encrypted email and verify your signed email among many other benefits!