One of the subjects I haven't yet talked about is the safety of your keys. Have a look :


One won't say it enough : a good passphrase is a basic safety. It is like a construction-site helmet: it doesn't protect that much in itself, but it would be criminal not to use it.

As I just saw it today, the passphrase choice is quite an important matter as you have to use one that is easy to remember.

The passphrase is just a long password. It can be a quote from a famous author, a series of words or a long word. You choose. You have to use it. It will prevent your son from sending mails with your signature, or some other stuff of the same.

You can modify your kay passphrase anytime you want with the «properties» dialog box in your keys manager.


In the keys list, right click on your key and select «change the passphrase».


  • Right click on your key
  • Select «key properties»
  • click on the button «change the passphrase» just above the «OK» button and below the picture.

Enigmail (Thunderbird)

In the general Thunderbird menu, go to Enigmail then to «key management».

In the keys list, right click on your key and select «change the passphrase».

You can also do that using the dialog box just as said above, by selecting the ad-hoc option in the pop-down menu on the right below.

A password, whatever it protects (personal computer, website, mail) is not a safety at all but just an element of it as a whole.


You have to make backups of all your private keys in a safe place. No, the gnupg directory is not safe enough. Most articles about this subject mention a bank safe. That's utterly absurd in my point of view.

Some documentations even tell not to keep your main private keys in that directory. These documentations actually reach a high level of paranoïa.

This tutorial being targeted at beginners, I think we should focus on easyness and making you used to the tool. But it's important you know about it. If you use gpg at high level after this tutorial, I would be very glad you mail me and tell my work allowed you to do it !

So the whole point is to keep your keys safe. There are other constraints: you should be able to access them easily, but not spontanly.

The explanation is that if your storage is a directory where you work often, you might erase it by accident.

I told you how to export your private keys in the last article.

I think a good solution is simply to keep them on yourself, in a USB key.

You may have another suggestion, like a personal server. You just have to be sure of it.

Revocation certificate

A revocation certificate is a sefl-signature which declares it unusable. Switch it off might be a good comparison. Once created, you can store it ad vitam æternam without problem.

It is very important that you always have a revocation certificate somewhere for all your private keys.

Caution: this action (using the revocation certificate by importing it) is done without password and is impossible to counteract !


As weird as it looks like, creating the certificate does not occurs through the dialog box «right click»…

Select your key, then click on keys > revoke a key.

The opening dialog box allows you to create the certificate. You can then save it on a file or import it directly in your keyring, which will invalidate your key, as explained above.


Kleopatra does not allow to revoke a key or create a revocation certificate. You should use the command line or another software.


Select the key in the list.

If you directly select «revoke the key», it will be indeed definitely revoked without further notice.

You have three ways to create a revocation certificate in Enigmail:

  • Use the key dialog box, with its folding menu at the below right.
  • Use Generate > Revocation certificate at the top of Enigmail window.
  • Right click on your key, then «create and save a revocation certificate»

My policy

What I do:

In my safe storage, I have a directory named gnupg. This file can be hidden, it's your choice, but if you use usb stick it's a bad idea, as their filesystem (fat32 for most of them) does not take it fine.

In this directory, I have one sub-directory per mail address, and in each sub-directory one more with the name as the long id of the key.

In order to make my life easier, I also mark the state of the key (default, current, revok…) on the directory name.



I know, it's long. But I am sure of what is in. The mail address allows you to go fast, and the long id and status makes it easy and sure to get the key you need. And of course, once done, you don't need to think about it twice. Done is done, and only once.

Once this infrastructure built, I export my private key and its revocation certificate inside this repository.

stephane@luciole://gnupg/$ ls -l
total 12
-rw-r--r-- 1 stephane stephane 6590 mai    2 11:10 tuto-gpg.asc
-rw-r--r-- 1 stephane stephane  867 mai    2 11:11 tuto-gpg.revoke

I make it clear that it is my policy. It can surely be improved. But it exists and it is coherent.

General summary

  • Set a good passphrase. And do not hesitate to change it once in a while.
  • Set a limited lifetime on all your keys, and set it back some time before expiry.
  • Generate a revocation certificate when you create your key - or later if you prefer.
  • Save the private key and the revocation certificate for each keypair on one or several safe and long-term deposits.

Other solutions

Some other persons have created sophisticated strategies to protect their keys.

These persons often use gpg as a part of their online identity. So they use heavy methods to ensure of the continuity of it.

One can for example mention this:

If you know other articles or online documents describing a key protection strategy, or any other related subject, please send me a mail. I will add the links here.