GNU Privacy Guard Guide


Think of a good passphrase

Generating your key

	PS D:\> gpg --full-gen-key
	gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
	This is free software: you are free to change and redistribute it.
	There is NO WARRANTY, to the extent permitted by law.

	Please select what kind of key you want:
	   (1) RSA and RSA (default)
	   (2) DSA and Elgamal
	   (3) DSA (sign only)
	   (4) RSA (sign only)
	Your selection? 1
	RSA keys may be between 1024 and 4096 bits long.
	What keysize do you want? (2048) 4096
	Requested keysize is 4096 bits
	Please specify how long the key should be valid.
			 0 = key does not expire
		    = key expires in n days
		  w = key expires in n weeks
		  m = key expires in n months
		  y = key expires in n years
	Key is valid for? (0) 2y
	Key expires at 04/10/18 22:22:01 Pacific Daylight Time
	Is this correct? (y/N) y

	GnuPG needs to construct a user ID to identify your key.

	Real name: Eric Stewart
	Email address: enigelstewart@gmail.com
	Comment:
	You selected this USER-ID:
		"Eric Stewart "

	Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
	You need a Passphrase to protect your secret key

	<type your passphrase>

	gpg: key 0xADDE6EAA819563E9 marked as ultimately trusted
	gpg: revocation certificate stored as 'C:/Users/Eric/AppData/Roaming/gnupg/openpgp-revocs.d\2968D18E6F781B68FBBF0EC1ADDE
	6EAA819563E9.rev'
	public and secret key created and signed.

	gpg: checking the trustdb
	gpg: marginals needed: 3  completes needed: 1  trust model: PGP
	gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
	gpg: next trustdb check due at 2018-04-10
	pub   rsa4096/0xADDE6EAA819563E9 2016-04-11 [S] [expires: 2018-04-11]
		  Key fingerprint = 2968 D18E 6F78 1B68 FBBF  0EC1 ADDE 6EAA 8195 63E9
	uid                   [ultimate] Eric Stewart 
	sub   rsa4096/0x2821B792843D7A59 2016-04-11 [] [expires: 2018-04-11]
			

Adding a new signing subkey

Why do this? Subkeys can’t prevent a thief from decrypting messages intended for your private key. But they can help mitigate the damage to your identity should your key be lost or stolen.

If you revoke a primary key, you'll lose all the signatures on it, and all of your signatures will look invalid. If you revoke a subkey, only the signatures made with that subkey are invalid.

See https://alexcabal.com/creating-the-perfect-gpg-keypair/ for more info.

	PS D:\> gpg --edit-key enigelstewart@gmail.com
	gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
	This is free software: you are free to change and redistribute it.
	There is NO WARRANTY, to the extent permitted by law.

	Secret key is available.

	sec  rsa4096/0xADDE6EAA819563E9
		 created: 2016-04-11  expires: 2018-04-11  usage: SC
		 trust: ultimate      validity: ultimate
	ssb  rsa4096/0x2821B792843D7A59
		 created: 2016-04-11  expires: 2018-04-11  usage: E
	[ultimate] (1). Eric Stewart 

	gpg> addkey
	Please select what kind of key you want:
	   (3) DSA (sign only)
	   (4) RSA (sign only)
	   (5) Elgamal (encrypt only)
	   (6) RSA (encrypt only)
	Your selection? 4
	RSA keys may be between 1024 and 4096 bits long.
	What keysize do you want? (2048) 4096
	Requested keysize is 4096 bits
	Please specify how long the key should be valid.
			 0 = key does not expire
		    = key expires in n days
		  w = key expires in n weeks
		  m = key expires in n months
		  y = key expires in n years
	Key is valid for? (0) 2y
	Key expires at 04/10/18 22:27:12 Pacific Daylight Time
	Is this correct? (y/N) y
	Really create? (y/N) y

	sec  rsa4096/0xADDE6EAA819563E9
		 created: 2016-04-11  expires: 2018-04-11  usage: SC
		 trust: ultimate      validity: ultimate
	ssb  rsa4096/0x2821B792843D7A59
		 created: 2016-04-11  expires: 2018-04-11  usage: E
	ssb  rsa4096/0x695455DC87F1857F
		 created: 2016-04-11  expires: 2018-04-11  usage: S
	[ultimate] (1). Eric Stewart 

	gpg> save
			

Creating a revocation certificate

Now we generate a revocation certificate file. If your master keypair gets lost or stolen, this certificate file is the only way you’ll be able to tell people to ignore the stolen key.

This is important, don’t skip this step!

	PS D:\> gpg --armor --output revocation_cert.asc --gen-revoke enigelstewart@gmail.com

	sec  rsa4096/0xADDE6EAA819563E9 2016-04-11 Eric Stewart 

	Create a revocation certificate for this key? (y/N) y
	Please select the reason for the revocation:
	  0 = No reason specified
	  1 = Key has been compromised
	  2 = Key is superseded
	  3 = Key is no longer used
	  Q = Cancel
	(Probably you want to select 1 here)
	Your decision? 1
	Enter an optional description; end it with an empty line:
	>
	Reason for revocation: Key has been compromised
	(No description given)
	Is this okay? (y/N) y
	Revocation certificate created.

	Please move it to a medium which you can hide away; if Mallory gets
	access to this certificate he can use it to make your key unusable.
	It is smart to print this certificate and store it away, just in case
	your media become unreadable.  But have some caution:  The print system of
	your machine might store the data and make it available to others!
			

Store the revocation certificate file in a different place than your master keypair (which we’ll export in a later step). You’ll use it to revoke your master keypair should you lose access to it. If you only lose access to your laptop keypair, then you’ll revoke those subkeys using the master keypair, not this revocation certificate.