How to Generate Your Own GnuPG Key
GPG is software that is generally seen as difficult to use because it was used by typically tech-savvy people in the past. However, in recent years, especially when privacy concerns are on the rise, GPG has become an easy-to-use piece of software for computer users of all levels. It’s even easier now to create your own GPG key.
So what is a GPG key? How can you create one to encrypt your personal data?
What Is a GPG Key?
GPG is a free cryptographic tool. With GPG, you can perform operations such as encryption, signing, authentication, and creating a web of trust usingasymmetric and symmetrictools. Today, GPG is available in many different places, from securing GNU/Linux package distributions to email encryption.
A Brief History of GPG
GPG started its software life as Pretty Good Privacy (PGP), written by Phil Zimmermann. PGP probably has one of the most inspiring stories in free software and freedom of knowledge.
The first version of PGP entered the world in 1991 when it wasinstalled on Usenets, the widespread internet communication platform of the time. Various legal rules back then prohibited the import of software that worked with keys over 40 bits wide, so PGP was distributed by Zimmermann and some of his friends via payphones and acoustic replicators.
PGP was not free software, but Zimmerman didn’t charge fees for non-commercial use. He also distributed the source code of PGP with the software. This naturally caught the attention of the authorities, and Zimmermann was sued for violating military export law. The company that owns the license rights of the RSA algorithm used by PGP was also involved.
Zimmermann had an idea for the free use of PGP. Although the export of cryptographic tools was blocked by law, the freedom of opinion provision of the constitution protected the books published by individuals. In this context, Zimmermann has published the entire source code of PGP from the MIT publishing house, along with an OCR-compatible font. In this way, the book was distributed under constitutional protection and those who wished could scan the book and access the PGP.
Later, PGP was developed as free software under the leadership of the Free Software Foundation, under the name GnuPG, per the OpenPGP standard.
How to Generate GPG Keys
To use GPG, you must first have a GPG key and store it safely. GPG key generation varies depending on the hardware and operating system you are using. If your threat model is not especially high, and you just want to encrypt your basic correspondence for your own privacy, you can quickly and relatively securely generate GPG keys on all your devices using the methods below.
Generating a GPG Key With Kleopatra for Computers
For GNU/Linux distributions, there is a GnuPG client with a nice graphic interface. In this respect, Kleopatra, the key manager of the KDE desktop environment, is particularly useful as it is both cross-platform and offers the widest management options.
Depending on the operating system you are using, you can install Kleopatra using the following commands:
For Debian/Ubuntu (APT):
For Red Hat/Fedora (RPM):
You candownload the Gpg4winprogram for Microsoft Windows and install it on your system.
After the installation is complete, run Kleopatra as you wish.
Kleopatra has almost the same interface no matter which operating system you use. The screenshots below are from a Kleopatra installed on aDebian distribution; however, they should still be recognizable if you are using a different operating system.
When you open Kleopatra, you will see a screen like this:
To generate your first key, it’s possible to click on theFilemenu and use theNew key pairoption. ClickGenerate personal OpenPGP key pairfrom the drop-down menu and continue.
Kleopatra will ask you for your name and email address. You do not have to give accurate information here, but GnuPG establishes people’s identities. This key means that people who know you trust you, so you can prove that the transactions you make with this key belong to you. For this reason, you should use real information. In any case, there is nothing that prevents you from changing this information as you wish.
Click onAdvanced Settingsand you will see some technical data about your key. The “Key Material” section has the type and size of the key you will use. It is important for the future of your key that you increase the RSA key size to the maximum 4096 bits. Also, if you are going to use SSH with your key, it’s possible to continue by checking theAuthenticationbox. The validity period, on the other hand, ensures that your key becomes unusable after a certain date in case you lose it. When that date comes, you can renew your key again. It depends on your preference but two or three years is ideal.
ClickOKafter making the adjustments. When you return to the “Enter Details” page, click theNextbutton. When the “Review Parameters” page opens, click tCreate. Kleopatra will ask you for a password. This password is required to encrypt your key, and is responsible for the security of your entire key. That’s why you shoulduse a strong and unpredictable password.
After entering your password, the process may take a few minutes depending on the capacity of your device and the source of randomness.
If you see the above screen, it means you have created your key. At this stage, you can take a backup of your key.
If you want to use your key for email correspondence, you can send it to key servers by clickingUpload Public Key to Directory Service. That way, you can ensure that anyone can send you encrypted emails.
However, there is a very important detail that you shouldn’t forget. The keys you upload to the key server will stay on there forever. Do not send the key to the servers until you are sure that you will use your key or that you have what it takes to revoke it. If you do not have the secret key, password, or revocation certificate, the keys on the server remain valid until the expiration date.
How to Generate a GPG Key for Android Devices
It is much easier to use GnuPG on Android operating systems. You can use the free software OpenKeychain for this. With this application, you can easily perform GnuPG operations and provide key management.
First of all,download the OpenKeychainsoftware for the Android mobile operating system and install it on your phone. OpenKeychain will give you some options for key usage. From here, proceed by selecting theCreate My Keyoption.
OpenKeychain will ask you for your name or username. You don’t have to give your real name here. However, you may want to provide real information to prove that the transactions you will make with the key you create belong to you. Regardless, you could change this information later.
In the next step, OpenKeychain will ask you to enter your email address. You can add or remove new addresses later if needed.
Before generating your key, there is an option toPublish on keyserversat the stage where your name and email are displayed. If you are going to use your key for email correspondence, you can continue by ticking this option.
But remember, the keys you upload to the keyserver will stay on the servers forever. So unless you have the secret key, password, or a revocation certificate to use to revoke your key, the keys on the server will remain valid until the expiration date.
Now you could start creating your key by clicking theCreate Keybutton. After your device has done the necessary operations, you will see your key on the main page of OpenKeychain.
Why Should I Generate My Own GnuPG Key?
Your conversations about your job, emails with banks, money transfers, or the secret codes of the project you are working on are not safe. However, with methods such as GnuPG, it is possible to protect all these in the best way you could. You can encrypt as many files as you want with the GnuPG key you have created.
If you’ve any personal or sensitive files stored on your Linux machine, you should consider encrypting them with GnuPG for added security.
It’s not super flashy, but it can help to keep your computer up and running.
Your phone’s camera app doesn’t show this, so it’s easy to miss.
Who asked for these upgrades?
Anyone with more than a passing interest in motorsports must see these films.
Make sure you don’t miss these movies and shows before Netflix removes them.
