Creating GPG keys using the GNOME desktop
Install the Seahorse utility, which makes GPG key management easier.
Select Activities Software.
Click the Search button and enter the name 'Seahorse'.
Click the Seahorse package and click Install to add the software.You can also install Seahorse using the command line with the command
sudo dnf install seahorse
.
To create a key:
Select Activities Passwords and Encryption Keys, which starts the application Seahorse.
At the top left hand corner, click the Plus Button GPG Key.
Type your full name, email address, and an optional comment describing who you are (e.g.: John C. Smith, [email protected], The Man).
Click Create.
Choose a passphrase that is strong but also easy to remember in the dialog that is displayed.
Click OK and the key is created.
Creating GPG Keys Using the KDE Desktop
Start the KGpg program from the main menu by selecting Applications Utilities KGpg.If you have never used KGpg before, the program walks you through the process of creating your own GPG keypair.
Enter your name, email address, and an optional comment in the dialog box that appears prompting you to create a new key pair.You can also choose an expiration time for your key, as well as the key strength (number of bits) and algorithms.
Enter your passphrase in the next dialog box.At this point, your key appears in the main KGpg window.
To find your GPG key ID, look in the ID column next to the newly created key.In most cases, if you are asked for the key ID, you should prepend 0x
to the last 8 characters of the key ID, as in 0x6789ABCD
.
Now see Making a Key Backup Using the KDE Desktop.
Creating GPG Keys Using the Command Line
Use the following shell command:
gpg --full-generate-key
This command generates a key pair that consists of a public and a private key.Other people use your public key to authenticate and/or decrypt your communications.Distribute your public key as widely as possible, especially to people who you know will want to receive authentic communications from you, such as a mailing list.
Press the Enter key to assign a default value if desired.The first prompt asks you to select what kind of key you prefer:
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (14) Existing key from cardYour selection?
See AlsoGPG KeysIn almost all cases, the default is the correct choice.A RSA/RSA key allows you not only to sign communications, but also to encrypt files.
Choose the key size:
RSA keys may be between 1024 and 4096 bits long.What keysize do you want? (3072)
Again, the default is sufficient for almost all users, and represents an extremely strong level of security.
Choose when the key will expire.It is a good idea to choose an expiration date instead of using the default, which is none.If, for example, the email address on the key becomes invalid, an expiration date will remind others to stop using that public key.
Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n yearsKey is valid for? (0)
Entering a value of
1y
, for example, makes the key valid for one year.(You may change this expiration date after the key is generated, if you change your mind.)Before thegpg
program asks for signature information, the following prompt appears:Is this correct (y/N)?
Enter
y
to finish the process.Enter your name and email address.Remember this process is about authenticating you as a real individual.For this reason, include your real name.Do not use aliases or handles, since these disguise or obfuscate your identity.
Enter your real email address for your GPG key.If you choose a bogus email address, it will be more difficult for others to find your public key.This makes authenticating your communications difficult.If you are using this GPG key for self-introduction on a mailing list, for example, enter the email address you use on that list.
Use the comment field to include aliases or other information.(Some people use different keys for different purposes and identify each key with a comment, such as "Office" or "Open Source Projects.")
Enter the letter
O
at the confirmation prompt to continue if all entries are correct, or use the other options to fix any problems.Enter a passphrase for your secret key.The
gpg
program asks you to enter your passphrase twice to ensure you made no typing errors.
Finally, gpg
generates random data to make your key as unique as possible.Move your mouse, type random keys, or perform other tasks on the system during this step to speed up the process.Once this step is finished, your keys are complete and ready to use:
pub rsa3072 2021-02-09 [SC] [expires: 2022-02-09] 3782CBB60147010B330523DD26FBCC7836BF353Auid John Doe (Fedora Docs) <[email protected]>sub rsa3072 2021-02-09 [E] [expires: 2022-02-09]
The key fingerprint is a shorthand signature for your key.It allows you to confirm to others that they have received your actual public key without any tampering.You do not need to write this fingerprint down.To display the fingerprint at any time, use this command, substituting your email address:
gpg --fingerprint [email protected]
Your key fingerprint is actually a 160 bit SHA-1 hash of the key, represented as a 40 character string of hexadecimal digits.Though shorter than the public key itself, it’s still a bit unwieldy, so people tend to use a shorter GPG key ID to refer to a key when, for example, looking up a key in a keyserver.The GPG key ID is a small number of hex digits drawn from the characters representing the lower-order bits of the fingerprint.The "short" GPG key ID consists of the final 8 characters of the hexadecimal fingerprint, that is, the last 32 bits of the fingerprint.Short keys are unsafe and no longer recommended because it’s possible to create collisions so that an attacker’s forged key has the same short ID as your key.Thus if you give someone the short GPG key ID of your key, they may retrieve the attacker’s key from a keyserver instead.
For this reason, it’s preferred to use the "long" GPG key ID, which consists of the final 16 characters of your key’s hexadecimal fingerprint.This represents the 64 lower-order bits of your fingerprint, which is sufficient to be collision-resistant.The gpg
program makes it easy for you to find your key’s long GPG key ID:
gpg --list-keys --fingerprint --keyid-format 0xlong [email protected]
The 0xlong
format prepends "0x" to the key ID to make it clear that this is a series of hexadecimal digits; it is considered good practice to do this.The output from the above command looks like this:
pub rsa3072/0x26FBCC7836BF353A 2021-02-09 [SC] [expires: 2022-02-09] Key fingerprint = 3782 CBB6 0147 010B 3305 23DD 26FB CC78 36BF 353Auid John Doe (Fedora Docs) <[email protected]>sub rsa3072/0xF834D62672E88A6F 2021-02-09 [E] [expires: 2022-02-09]
The first line (beginning with "pub") tells you what kind the key is (that is, 3072 bit RSA) and what the long key ID is (that is, 0x26FBCC7836BF353A
).You can see that this corresponds to the last 16 characters of the Key fingerprint in the output.
Now see Making a Key Backup Using the Command Line.Make sure to back up your revocation keys for all active keys as this allows to revoke keys in the event of lost passphrase of key compromise.