GPG encryption key creation

This HOWTO has been developed in response to a growing number of questions hitting my inbox, regarding problems creating encryption keys with GNU Privacy Guard. Now for the warning, everything here is done from the command line, yes thats right not a single GUI anywhere to be seen. So if you are not happy working outside the GUI world, then this HOWTO is not for you.

Before starting, please understand that this is not a cryptography tutorial, so do not expect detailed discussions on the inner workings of GPG/PGP or anything related to them. I have intentionally avoided going into this stuff as in general its not needed to help generate your keys. In place of this, everything is kept as simple as possible, so hopefully avoid confusion.

Compatibility

All the development of this HOWTO has been done on a Mac under OSX 10.3 (Panther), which means its not for everyone. So far its been tested under OSX 10.2 or later, plus Slackware and Redhat Linux only. That said its very possible that everything here is still valid for other UNIX flavors and maybe even that Windoze thing, its just not been tested. That said, if you are running something else and have success please let me know so I can update the list, crediting you.

Requirements

Not much actually, to be exact all you need is a working installation of GPG with a version of 1.2.3 or later, running under some flavor of UNIX/Linux. And yes for a change I do not expect you to have built from source, and actually used a binary package myself for the Mac, which is a first for me. Anyway here are the links to where you can download all you need.

	Mirror list for official GPG distribution [gnupg.org]
	Mac GNU Privacy Guard [sourceforge.net]

Once you have downloaded all you need, you are strongly recommended to verify your downloads against the signature files. Now this may sound overly paranoid, but in the past source and binary distributions of some apps have been tampered with.

One recent example which serves to illustrate my paranoia on this one, is the discovery of an attempt to insert a backdoor into the source for the upcoming 2.6 Linux Kernel. So be safe, be sure, only download from a official mirror, and always verify the signatures.

Starting

The rest of this page is broken down into steps, each of which has been carefully designed to be of use to even those with minimal experience. Its also critical that you work through each in order, or nothings going to work. So open a terminal/shell/command line, and run gpg like this.

gpg --key-gen

The function of the --key-gen switch needs no further discussion right???

Step 1. Selecting your key type
After starting gpg as above the first prompt, asks for which of the three kinds of keys you want to create.

gpg (GnuPG) 1.2.3; Copyright (C) 2003 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: keyring `/Users/watsondk/.gnupg/secring.gpg' created
Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection?

If you look at the screen, you will see it makes reference to having created a file called 'secring.gpg' in a directory called .gnupg which is created off your home directory. This file is your secret keyring file, and the directory is the default location for all your GPG configuration files.

Of the three types of key available, you want to use the first one DSA and ElGamal as the other two are for signing only, not the full functionality you want. Anyway its the default selection, so select '1' and press enter to move onto the next step.

Step 2. Setting your keysize
This one is really up to you, although I would not go for anything smaller than the default of 1024, as thats currently thought to be out of reach of attackers, whereas the 384 and 512 bit keys are known to be within reach and even the status of 768 is not certain. For more on this one check out comp.security.pgp FAQ or for a more detailed discussion RSA Labs FAQ. As for me, being totally paranoid I usually use 2048.

DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
              minimum keysize is  768 bits
default              default keysize is 1024 bits
    highest suggested keysize is 2048 bits
What keysize do you want? (1024)

Enter your chosen keysize, then press enter to move onto the next step.

TIP: Do not use anything larger than 2048, as this may cause compatibility problems with other crypto apps.

Step 3. Setting Key Life
Another one thats up to you, is the life span of the new key. For example, if you are creating a key to sign a news letter, then you may want to expire keys quarterly/yearly etc, whereas if you are a home/SOHO user, then you may want to keep the same key forever.

Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

In this case, I am going to accept the default, which is for the key to never expire. You may want something else, so enter your choice then press enter to continue onto confirm your selection.

Step 4. Setting userID for the key
You need to associate the new key with a specific userID, for this you enter, real name, email address, and comment.

You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name:

Enter your real name, press enter, enter your email address, press enter, finally enter your comment. For example I entered.

David Watson
watsondk@foobar.com
test data

Before moving onto the next step, you are prompted for confirmation that the what you entered is correct, and given a final option to make changes.

You selected this USER-ID:
    "David Watson (test data) <watsondk@foobar.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

If all is good, select o to continue onto the next step.

Step 5. Setting your Passphrase
Think of the passphrase just like a password that needs to be entered before access your secret key is allowed. And as such just like all other passwords, should not be so simple as to be easily guessed, but also not so complex as you forget it.

TIP: It cannot be blank, and things like; names, birthdays, phone numbers, car license plates, simple words, 123456, qwerty, password etc are all bad. For example mine is 15+ characters, alphanumeric, containing no dictionary words, or anything else that can be linked to me. It does however mean something to me, so is easy to remember.

You need a Passphrase to protect your secret key.

Enter passphrase:

Enter your chosen passphrase, then press enter to confirm it, and move onto actually creating the keys.

Step 6. Key generation
Nothing much for you to do, as the generation starts automatically after you confirm your passphrase. However its not a good time for a coffee, as you really need to read the on-screen instructions and its a good idea to do other things while the keys are being generated. In my case I was encoding video in the background which really hammered the disks, and also randomly moved the mouse while the generation was running.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++.++++++++++++++++++++++++++++++.+++++++++++++++.++++++++++.+++++..
+++++++++++++++..+++++.+++++++++++++++++++++++++++++++++++.++++++++++.......
..>+++++......................+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..++++++++++.++++++++++.+++++++++++++++.+++++.+++++...+++++++++++++++++++++++
++..++++++++++..++++++++++++++++++++++++++++++.++++++++++.+++++.+++++.+++++++
++++++++>.++++++++++...>+++++................................................
...............................+++++^^^^^
public and secret key created and signed.
key marked as ultimately trusted.

pub  1024D/272B1141 2003-11-08 David Watson <watsondk@foobar.com>

     Key fingerprint = 90E1 BC6E 3A55 39C4 9D49  0A77 D18F 84DE 272B 1141
sub  2048g/5CC4C768 2003-11-08

Closing Words

Having created a new key you are strongly recommended to make a backup, not only of your keys but also your general GPG configuration. In my case I backup the whole of the ~/.gnupg/ directory, plus make sure my public keys are uploaded to a key server. ONLY EVER UPLOAD YOUR PUBLIC KEY TO A KEYSERVER

Just a note to the spamming scumbags who regularly harvest from this site, the email address used in this HOWTO is NOT VALID, never was, never will be. And BTW, I use wposion for site protection, so I hope you like your database being filled with crap.