This FAQ describes how to generate a GPG (GNU Privacy Guard) key. GPG keys are used to digitally sign and encrypt data files.

1. Install GPG (GNU Privacy Guard) if it is not already installed
   
   • For a Debian GNU/Linux system, at the shell prompt, enter the command

     apt-get install gnupg

     as the root user.

   • On other operating systems, gpg may already be installed. If is is not installed, go to the GPG web site (http://www.gnupg.org) to download the source code. Then compile and install the program.

2. Create your own key pair (a public and private key will be generated)
   Enter the command:

   gpg --gen-key

   • If you haven't run gpg before, you'll get the message that gpg created a new directory in your home directory.

   A log of the generation of the NMLUG Keymaster key is in Appendix A.

   Generally the defaults are okay. In particular, you would like to choose 'DSA and ElGamel' as the type of keys you want to generate. Key sizes of 1024 or 2048 are fine. You will need to choose a passphrase to encrypt your private keys. It's called a passphrase rather than a password because it should have multiple words with punctuation and/or numbers as well. It should be at least 10-12 characters in length. You also need to choose an expiration date. Unless you have a special need to have the key expire, you'll find it more convenient to choose no expiration.

3. Generate and print a copy of your public key ID and fingerprint
   Enter the command:

   gpg --fingerprint

   An an example of the fingerprint output, here is the output of the NMLUG Keymaster's fingerprint:

   pub  1024D/14931423 2003-02-13 New Mexico Linux User Group Keymaster 
        Key fingerprint = 724D 2514 93EC 83D4 E5BC  D534 C5BC C12C 1493 1423
   sub  2048g/42685AC7 2003-02-13

   This shows that a 1024-bit DSA key (1024D) used for digital signing. It has a key id of 14931423. This is a hexidecimal number, so it is often written as 0x14931423. The fingerprint for this key is the 16-byte (128-bit) sequence "724D 2514 93EC 83D4 E5BC D534 C5BC C12C 1493 1423". The output also shows the secondary public key ID for the 2048-bit ElGamel (2048g) key used for encrypting. It's key id is 0x42685AC7.

4. Export a copy of your public key to a file
   Enter the command:

   gpg --export --armor <your e-mail address> > key.gpg.asc

   You can then e-mail this file to your contacts to so they can import your public key into their gpg keyrings. They will need this to verify any messages or filesd that you sign with GPG.

5. Register your key at a public key server
   Enter the command

   gpg --keyserver www.us.pgp.net --send-keys <your e-mail address>

   This will upload your key to a public key server so that other people can download your key. Be aware that once you upload your key to a public keyserver, there is no way for you to remove it. At most, you can send the keyserver a recovation certificate to state that you no longer are in control of this key. So, don't upload a key to a keyserver until you are sure that you completely satisified with your new key.

6. Generate and save a revocation certificate
   Execute the commands:
   gpg --gen-revoke <your e-mail address> > revoke.gpg.asc
   chmod 400 revoke.gpg.asc # Ensure no other user can read your key

   In the unfortunate event that you loose your private key, forget your passphrase to access youor private key, or that someone else gains access to your private key, you should have a revocation certificate. This certificate can be sent to the public key servers so inform other GPG users that you no longer trust your key. The best time to generate this certificate is before you need it.

   A common recommendation is to print this certificate, store that paper somewhere safe, and then delet the recovation file. If someone else gains access to your revocation certificate, they can use it to tell other GPG users that your public key is no longer valid.

   A log of the generation of the NMLUG Keymaster's revocation certification is in Appendix B

7. Use your key
   Now that you key has been generated, you can start using your key. This involves several differenct concepts: exchanging keys with other people, exchanging signatures on keys, and using your key to digitally sign and encrypt data. These are subjects of a future FAQ.

Appendices

A. Log of key generation for NMLUG Keymaster key

localhost:~> gpg --gen-key
gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: /home/keymaster/.gnupg: directory created
gpg: /home/keymaster/.gnupg/options: new options file created
gpg: you have to start GnuPG again, so it can read the new options file

localhost:~> gpg --gen-key
gpg (GnuPG) 1.0.6; Copyright (C) 2001 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

gpg: /home/keymaster/.gnupg/secring.gpg: keyring created
gpg: /home/keymaster/.gnupg/pubring.gpg: keyring created
Please select what kind of key you want:
   (1) DSA and ElGamal (default)
   (2) DSA (sign only)
   (4) ElGamal (sign and encrypt)
Your selection? 1
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
              minimum keysize is  768 bits
              default keysize is 1024 bits
    highest suggested keysize is 2048 bits
What keysize do you want? (1024) 2048
Do you really need such a large keysize? y
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct (y/n)? y
                        
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) "

Real name: New Mexico Linux User Group Keymaster
Email address: <keymaster@nmlug.org>
You selected this USER-ID:
"New Mexico Linux User Group Keymaster "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
Enter passphrase:
Repeat passphrase:
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..+++++++

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 290 more bytes)
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++.+++++++++++++++.+++++++++++++++++++++++++..++++++++++++++++++++.++++++++++
public and secret key created and signed.

B. Log of revocation certificate key

localhost:~> gpg --gen-revoke > revoke.gpg.asc 
sec  1024D/14931423 2003-02-13   New Mexico Linux User Group Keymaster 

Create a revocation certificate for this key? y
Please select the reason for the revocation:
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  0 = Cancel
[Probably you want to select 1 here]
Your decision? 1
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key has been compromised
[No description given]
Is this okay? y

You need a passphrase to unlock the secret key for
user: "New Mexico Linux User Group Keymaster "
1024-bit DSA key, ID 14931423, created 2003-02-13

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

localhost:~> chmod 400 revoke.gpg.asc