B.3. Generating a
To begin using GnuPG, you must first generate a new keypair: a
public key and a private key.
To generate a keypair, at a shell prompt, type the following
Since you work with your user account most frequently, you
should perform this action while logged in to your user account
(not as root).
You see an introductory screen, with key options, including one
recommended option (the default), similar to the following:
gpg (GnuPG) 1.2.6; Copyright (C) 2004 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: keyring '/home/user/.gnupg/secring.gpg' created
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Most of the screens which require you to choose an option lists
the default option, within parentheses. You can accept the default
options by pressing [Enter] .
In the first screen, you should accept the default option:
(1) DSA and ElGamal. This option
allows you to create a digital signature and encrypt (and decrypt)
with two types of technologies. Type 1 and then press [Enter] .
Next, choose the key size, or how long the key should be.
Generally, the longer the key, the more resistant against attacks
your messages are. The default size, 1024 bits, should be
sufficiently strong for most users, so press [Enter] .
The next option asks you to specify how long you want your key
to be valid. Usually, the default (0 =
key does not expire) is fine. If you do choose an expiration
date, remember that anyone with whom you exchanged your public key
also have to be informed of its expiration and supplied with a new
public key. If you do not choose an expiration date, then you are
asked to confirm your decision. Press [y] and [Enter] to
confirm your decision.
Your next task is to provide a user ID that consists of your
name, your email address, and an optional comment. When you are
finished, you are presented with a summary of the information you
The next option is to make any changes to the information you
just entered. If you are satisfied with your entries, press
Once you accept your choices, you must enter a passphrase.
Like your account passwords, a good passphrase is essential for
optimal security in GnuPG. For example, mix your passphrase with
uppercase and lowercase letters, use numbers, or punctuation
Once you enter and verify your passphrase, your keys are
generated, and a message similar to the following is displayed:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
When the activity on the screen ceases, your new keys are made
and placed in the directory .gnupg in
your home directory. To list your keys, use the command:
You will see something similar to the following:
pub 1024D/B7085C8A 2000-06-18 Your Name <[email protected]>
sub 1024g/E12AF9C4 2000-06-18
If you created a GnuPG key with version 1.0.6 or lower, exported
your private key, and imported it into a new one, you have to
explicitly trust your own key to sign items with version 1.0.7 or
higher. To trust your key, type the following command (replace
At the Command> prompt type
trust and select 5 = I trust ultimately to trust your own