GPG Key Generation Guide

GNU Privacy Guard (GPG) is an open-source implementation of the OpenPGP standard which is used for encrypting files, or creating digital signatures to sign files. This guide shows how to generate GPG public/private key pairs and revocation certificates.

Installation

Install GPG using your package manager:

sudo pacman -S gpg

Generating Keys

Check the version installed and note the supported algorithms:

gpg --version

Start the public/private key generation process using the expert mode to access additional algorithms:

gpg --expert --full-gen-key

Choose the "ECC (sign and encrypt)" option by pressing the relevant number (e.g. 9 at the time of writing) followed by Enter to create an Elliptic Curve Cryptography (ECC) public/private key-pair and an ECC signing key.

Choose the "Curve 25519" option by pressing 1 followed by Enter to create "ed25519" keys. NIST keys should be avoided given the suspicion surrounding the fact that there is no explanation for the seeds used to generate NIST curves. The Brainpool family of curves are slower than both the NIST curves, which are again slower than "Curve 25519". Furthermore, the Brainpool family or curves have been reported as "not safe" by SafeCurves.

Choose how long the key should be valid. If one plans to use the key for the foreseeable future, choose "key does not expire" by pressing 0 followed by Enter. If an expiration date is set, one can always extend the time when it is about to expire.

If the expiration date is correct, confirm by pressing y followed by Enter.

Enter the "real name" and "email address" to be associated with the key. If one wants to keep their name and/or email private, it is recommended to use a pseudonym and/or an alternative email address that one does not mind being openly accessible. If one is setting up a GPG key-pair for a Git repository hosting provider like Codeberg, or an email service provider, ensure the email matches one associated with the account. For example, with Codeberg, one would use their <username>@noreply.codeberg.org email associated with their account to keep their Codeberg log-in email private.

Leave the comment field blank unless you absolutely need to add one.

Enter a strong pass-phrase that will be used to protect the private key. This pass-phrase will be required to decrypt the private key before it can be used. If this pass-phrase is lost, the private key will no longer be able to be used.

GPG will then generate the public/private key-pair and a revocation certificate.

Understanding the Generated Output

The Public Key

The raw public and private keys are those generated by the ECC algorithm (or whatever algorithm was selected earlier). The public key listed after the GPG key generation process has completed is this raw public key. Despite its name, this raw public key is not what one shares with the public. Instead, one has to export what is referred to as a key-block or certificate which is generated in accordance with the OpenPGP standard. This key-block, more specifically, the PGP public key-block, contains both the public key and various metadata (e.g. the user ID). This metadata can be used to identify the owner of the key. It can also updated freely as changing the metadata does not change the underlying public key that is used for cryptographic functions.

Export the PGP public key-block:

gpg --export --armor <user-id>

Where <user-id> is the email address associated with the public key. By default, GPG exports the PGP public key-block in binary form; however, this form is usually inconvenient to share via email or publish on a web-page, so the armor option is set to cause the output to be generated in ASCII form via the ASCII armor binary-to-text encoding converter.

To easily share the PGP public key-block as a file with people who want to send encrypted files to you, run the export command and redirect the output to a .asc file:

gpg --export --armor <user-id> > <filename>.asc

The Private Key

The private key is used to decrypt files encrypted using the public key. Ensure that the private key remains safe by storing it on encrypted media; never sharing the key, and always ensuring that its associated pass-phrase remains secure.

To export the private key:

gpg --export-secret-keys --armor <user-id>

To export the private key to a .asc file:

gpg --export-secret-keys --armor <user-id> > <filename>.asc

The Revocation Certificate

The revocation certificate is stored under ~/.gnupg/openpgp-revocs.d directory as a .rev file; where the file-name is the raw public key. Always protect the revocation certificate. If the revocation certificate is compromised, those with access to the certificate can revoke the public/private key-pair and generate a fake one to be used in its place.