Pretty Good Privacy (PGP) is a data encryption and decryption computer program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, emails, files, directories, and whole disk partitions to increase the security of email communications.
PGP keys come in pairs consisting of a public key and a private key. The public key is used to encrypt data that can only be decrypted with the private key. The private key is kept secret and is used to decrypt data that has been encrypted with the public key.
PGP keys can be created and managed using the PGP command line interface. This allows you to generate new key pairs, list existing keys, export keys, revoke keys and perform other key management tasks.
Here is a step-by-step guide on how to create and manage PGP keys using the PGP command line:
Prerequisites
Before you can start using PGP command line, you need to have the following:
- PGP command line tools installed on your computer. This includes the gpg command.
- Basic knowledge of using command line interfaces.
- (Optional) A text editor like Vim or Nano to create/edit text files.
Generate a New PGP Key Pair
To generate a new PGP public/private key pair, use the gpg --gen-key command:
gpg --gen-key
You will be prompted to select which kind of key you want to generate. For general use, choose the default RSA and RSA option by pressing Enter.
Next, specify the key size. The larger the key size, the more secure the key is. A 4096 bit key is commonly used for a good balance between security and performance.
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
You will then need to specify the expiry time for the key pair. Pressing Enter sets no expiry, but you can specify a number of days, weeks, months or years.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Next, verify your selections and enter O to confirm:
Is this correct? (y/N) y
Now you need to provide your user ID information which will be associated with the key. It should contain your real name and email address:
Real name: John Doe
Email address: john.doe@email.com
Comment:
You selected this USER-ID:
"John Doe <john.doe@email.com>"
Finally, you need to provide a secure passphrase for protecting your private key. Make sure to choose a strong passphrase:
You need a Passphrase to protect your secret key.
Once you have entered and confirmed the passphrase, the key generation process will begin which can take a few minutes.
Once complete, you will see a confirmation like:
gpg: key 5FF3ABCD marked as ultimately trusted
gpg: directory '/home/username/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/username/.gnupg/openpgp-revocs.d/5FF3ABCD.rev'
public and secret key created and signed.
Your new PGP key pair is now ready to use! The public and private keys are stored in your ~/.gnupg directory.
How to List Existing PGP Keys
You can view existing keys in your keyring by using:
gpg --list-keys
This will display all public and private key pairs along with details like the key ID, user IDs, creation date, expiry etc.
The private keys will be indicated by sec while public keys are marked with pub.
pub rsa4096 2023-01-01 [SC]
5FF3ABCD123456789
uid [ultimate] John Doe <john.doe@email.com>
sub rsa4096 2023-01-01 [E]
sec rsa4096 2023-01-01 [SC]
7AA1BCD23456789
uid [ultimate] Alice Smith <alice.smith@email.com>
You can also search for a specific key by passing a query:
gpg --list-keys "john doe"
How to Export Your Public PGP Key
To allow others to send you encrypted messages, you need to export and share your public key.
This can be done using:
gpg --armor --export john.doe@email.com
This will print your public key in an ASCII-armored format suitable for sharing via email or pastebin etc.
You can also export the public key to a file:
gpg --armor --export john.doe@email.com > mypubkey.asc
Some common ways to share your public PGP key are:
- Upload it to a public keyserver.
- Post it on your website or social media profile.
- Attach it when sending emails.
- Share it via a QR code.
How to Import Someone's Public PGP Key
To encrypt messages to someone, you need to import their public key into your keyring.
If you have received someone's public key in an ASCII-armored file, you can import it with:
gpg --import publickey.asc
Alternatively, you can download and import public keys from a keyserver:
gpg --keyserver pgp.mit.edu --search-keys alice@email.com
You can also import from a keybase account:
gpg --keyserver keybase.io --recv-keys alicesmith
Once a public key is imported, you can encrypt messages for that user ID which only they can decrypt with their private key.
How to Generate a Revocation Certificate
A revocation certificate is used to revoke your public key in case your private key is compromised or lost.
To generate a revocation certificate:
gpg --output revocation.asc --gen-revoke john.doe@email.com
This will create revocation.asc in the current directory. This file should be kept safe in case you ever need to revoke your public key.
The revocation certificate can be uploaded to keyservers which will mark the key as revoked.
How to Revoke a PGP Key
If your private key is compromised, you should revoke the associated public key to prevent its further use.
Import the revocation certificate generated earlier:
gpg --import revocation.asc
Now revoke the key:
gpg --revoke john.doe@email.com
This will mark the key as revoked. You should also upload the revocation certificate to keyservers and notify anyone who has your public key.
How to Change PGP Key Passphrase
If you want to change the passphrase for a private key, use:
gpg --edit-key john.doe@email.com
This will open an interactive menu for the key. Type passwd and enter a new passphrase when prompted.
gpg> passwd
Save the changes and quit:
gpg> save
gpg> quit
The passphrase for the private key is now changed.
How to Delete a PGP Key
To permanently delete a key pair from your keyring:
gpg --delete-secret-keys john.doe@email.com
gpg --delete-keys john.doe@email.com
The first command deletes the private key and the second deletes the public key.
How to Backup and Restore PGP Keys
It is important to keep backups of your keys in case of data loss.
The entire ~/.gnupg directory contains all of your keys, certificates, trustdb etc. You can zip and copy this folder to backup all keys.
To restore from a backup, stop any GPG agent processes and overwrite the existing ~/.gnupg folder with your backup copy.
Advanced PGP Key Management
Here are some advanced PGP key management tasks:
Generate Keys Without Passphrases
While not recommended, you can generate keys without passphrases for automated scripts:
gpg --quick-generate-key john.doe@email.com
Generate Multiple Keys
Separate key pairs can be generated for different purposes:
gpg --gen-key # main key
gpg --gen-key --cert-policy-url "work" # work key
gpg --gen-key --cert-policy-url "personal" # personal key
Edit User IDs
User IDs can be added, removed or changed:
gpg --edit-key john.doe@email.com
gpg> adduid
gpg> uid 1
gpg> name John Doe
gpg> email john@company.com
gpg> save
Create Subkeys
Subkeys can be generated for separate signing, encryption or authentication:
gpg --edit-key john.doe@email.com
gpg> addkey
gpg> key 1
gpg> keytype RSA
gpg> size 4096
gpg> expire 0
gpg> save
Export Secret Keys
Private keys can be exported but require very careful handling:
gpg -a --export-secret-keys john.doe@email.com > privkey.asc
Sign Other Keys
Your key can sign another key to validate or certify it:
gpg --sign-key otheruser@email.com
This provides a web-of-trust.
Configure Trust Levels
Keys can be explicitly trusted or distrusted:
gpg --edit john.doe@email.com
gpg> trust
gpg> 5 # ultimate trust
gpg> quit
gpg --edit baduser@email.com
gpg> trust
gpg> 0 # distrust
gpg> save
PGP command line tools provide powerful management of PGP keys for individuals through to large organizations. Proper PGP key handling practices ensure secure encrypted communications.
Frequently Asked Questions
How do I generate a PGP key pair?
Use the gpg --gen-key command and follow the prompts to generate a new public and private PGP key pair. Select key type, size and expiry and enter your user ID details.
How do I export my public PGP key?
Use gpg --armor --export myemail[at]address.com to export your public key in ASCII format suitable for sharing. You can also redirect to a file.
What is the best way to share my public PGP key?
Upload it to public keyservers, share on social media, attach to emails, publish on your website, or use a QR code. Share widely so people can encrypt messages to you.
How can I revoke my PGP key?
First generate a revocation certificate with gpg --gen-revoke. Import this certificate and then revoke the key with gpg --revoke myemail[at]address.com to permanently revoke it.
How to Generate PGP Key Pair in Windows, Mac OS, Linux
The best way to generate PGP Key Pair across the operating systems - by using the gpg --gen-key command. However, you first need to install the GPG tools on your OS:
On Windows:
- Download and install Gpg4win which includes Kleopatra for managing keys.
- Launch the Kleopatra GUI and use the wizard to generate your keys.
On Mac OS:
- Install GPGTools which provides a GUI and command line tools.
- Use the GPGTools GUI or gpg --gen-key on terminal.
On Linux:
- Install gnupg package through your distro's package manager.
- Use the gpg --gen-key command on the terminal to generate keys.
How do I change the passphrase for my PGP private key?
Use gpg --edit-key myemail[at]address.com, go into the interactive menu, type passwd and enter a new passphrase when prompted. Save and exit.
How should I back up my PGP keys?
Make encrypted backups of your entire ~/.gnupg directory. This contains your keyring, certificates and trust db. Restore this folder to recover your keys. Use robust backup software.
Top comments (0)