So, do you think GPG is usefull ? Did you install the needed softwares ?

Let's go ! You're going to do your first real action to use GPG : generate your first key.
Or more exactly, your first key pair. Remind that every GPG key has actually two sides : a public and a private side.

If you need to read again or feel confused, return to the article you need:

This article might look long, but it's an important one. Creating keys takes a few minutes and you have almost nothing to do. So please, take your time.


NB : for those who are affraid, or concerned about privacy, that I gather a lot of mail addresses, it's no big deal to me that you use a fake address for your mail and keys.

After all, it's what I do with the tutorial's address. At the end of the tutorial, you can create a new key on your real address, follow again all the various steps.

But you won't send it to me: instead, you will use it for real ! And I am happy of that !

Let's generate the key.

Open your keys manager : Kgpg, Kleopatra or Enigmail (or another one...) and look for the option to create new keys.

With Kleopatra - link to the documentation, it is Files > New certificate... > Create a personal OpenPGP key pair.

With Kgpg - link to the documentation, it is Keys > Generate key pair.

With Enigmail (inside Thunderbird itself), it is Enigmail > Key Management. Then select Generate > New Key Pair.

Which address to indicate

The software will ask you which address to use with your key.

You can actually set several addresses on a key, but now, better not to do complicated and set just one.

Key type

Perhaps you will be proposed several algorithmes : DSA & ElGamal, RSA or RSA and RSA.

Choose RSA and RSA. It is the strongest combinaison and allows to sign and encrypt. In Enigmail (tab advanced), you'll simply choose RSA.

Key size

It will ask for a size : 1024, 2048 or 4096 bits. Basically, the larger the key size, the stronger the key, the longer it is to create the key. The software will then request to your operating system's random generator some entropy of this size.

I must admit that I don't understand the whole thing there. As soon as I try to figure out this entropy, entropy size, I am out ! But I understood very well that, the more entropy you have, the stronger the key !

Today, 4096 bits is the recommanded value.

The key generation will take some time. You mustn't worry or stop the software.

You can reduce this time using your computer ! The more you use your computer (particularly hard drives access, called I/O access in geek jargon), the more you generate entropy for your key ! Isn't that fun ? The good is then to update/upgrade your Linux distribution (high use of the hard drive) and to look at the last kitten video on vimeo.

Time expiry

It's a good idea to set a time expiry.

If you loose access to your key, it will be marked invalid after the alloted time.

What I do is set a one year validity, and around one month before, push it away to one more year.


A passphrase is a really long password. For example fifteen or twenty characters.

There is several methods to create a strong password.

Bonus for foreigners :
Use a pretty complicated word of your own language to start your password. This way, surrounding humans may have problems finding it !

What I do is that I take a word in my immediate environnement or a concept that I think of, and then I replace characters in : A becomes @, l becomes 1 or !, I add numbers... One or two changes like this and the password is strong enought.

What for a passphrase ?

You can choose not to set a passhprase. I must admit I did not do it for long. Today I do and recommend it. It simply adds another security.

If you are not the only one to use your computer, or if you use GPG on your phone or your tablet (often unlocked on the table) then you ought to set a passhprase.

Revocation certificate

It is a really good idea to create a revocation certificate, and the key manager should ask for it.

In case you lose your key, corruption, or someone steal your private key, then you just publish it on the keys servers. With the updates of keys servers, the key is declared as invalid quite fast.

This is a safety in case you got some troubles with the private key.

If you just want to change your key in a proper manner, this is not at all the good way. I will tell you more in a future article.


I thought this tutorial pedagogic from the beginnig. So I am going to make some little exercises there and now. I created a mail address on my server for the various purpose of this tutorial, and some keys to play with.

These keys will never used for anything else than this tutorial.

I will ask you to just send your public key to the mail address. This is what some people do to exchange keys. Yet there are other ways, but this topic is for a future article.

After I received your key in mail, I will answer you saying if your keys has the correct characteristics. I also need it for the next article.

To export your key

To send me your key, you have to export it.

In order to do so, you have to ask your keys manager.

You have to be carefull, as your keys manager can export the whole pair, public and private.

I ask here for your public key !

As said before, and as its name state it, the public key is available to anyone. The keys manager will propose you to export your key as a gpg or asc file.

This file is actually a raw text file, containing the key itself, which is a long string of characters. You can edit it with a text editor, like Notepad or another.

And no, Word and OpenOffice are not text editors!

Carefull: if you open the file, don't modify it!

Then send it to me as attached file in mail to Tuto-gpg @

NB: Kmail (mail client in KDE) propose also in its menu Attach… to send your own public key. So simple.

Here you are ! You have done your exercise ! Come to read the next one.

Other links

You will find good advices there too:

Security in a Box