PGP Keypair Generation and Management Guide

This how-to explains how to generate a PGP keypair (public and private keys) using modern tools on macOS,
Linux, and Windows, export and share your public key safely, and verify the result.
Use these steps if you need a PGP public key for email encryption, code signing, or secure file exchange.

What you’ll create and prerequisites

  • Outcome: A PGP keypair stored on your machine and an exported public key you can share.
  • You’ll need: a terminal (macOS/Linux) or Gpg4win (Windows), your legal name (or handle), and an email address you control.
  • Security: Choose a strong passphrase that you can remember. Do not reuse passwords.

Tooling options

Pick the tool that matches your OS:

  • macOS/Linux: GnuPG (gpg) in Terminal.
  • Windows: Gpg4win (Kleopatra GUI) or gpg in PowerShell.
If you’re in a corporate environment, check internal key policies (required key length, allowed algorithms, key expiration, user ID format).
If unsure, use Ed25519 for signing and Curve25519 for encryption with a 2-year expiration.

Step 1 — Install GnuPG

  • macOS: Install via Homebrew: brew install gnupg. Alternatively, install GPG Suite if you need Mail integration.
  • Ubuntu/Debian: sudo apt update && sudo apt install gnupg
  • Fedora: sudo dnf install gnupg2
  • Windows: Install Gpg4win (includes Kleopatra). During setup, keep defaults.

Step 2 — Generate a new keypair

Option A: Terminal (macOS/Linux/Windows)

  1. Run the guided generator: gpg --full-generate-key
  2. When prompted:
    • Key type: choose “(9) ECC and ECC” (modern) or “(1) RSA and RSA” if ECC is disallowed.
    • Curve (for ECC): select “Curve 25519 (modern).” For RSA, pick 3072 or 4096 bits.
    • Expiration: set a reasonable expiry (e.g., 2y). You can extend or rotate later.
    • Real name: your preferred display name.
    • Email address: the email you’ll use with this key.
    • Comment: optional (often left empty).
  3. Set a strong passphrase when asked. Use at least 5 random words or a generated passphrase.
  4. Verify creation: gpg --list-secret-keys --keyid-format LONG

Option B: Kleopatra GUI (Windows/Gpg4win)

  1. Open Kleopatra → File → New Key Pair → Create a personal OpenPGP key pair.
  2. Enter name and email. Click Advanced Settings to choose algorithm: “Ed25519 (signing) + Curve25519 (encryption)” or RSA 3072/4096 if required. Set an expiration (e.g., 2 years).
  3. Create, then set a strong passphrase when prompted.
  4. Confirm key creation appears in the certificate list.

Step 3 — Export and share your public key

  1. Find your key ID and fingerprint: gpg --list-keys --keyid-format LONG
  2. Export ASCII-armored public key to a file (replace KEYID with your long key ID or email): gpg --armor --export KEYID > my-public-key.asc
  3. Share only the .asc content publicly (paste into your profile, send to partners, or upload where needed). Never share your private key.

Step 4 — (Optional) Publish to a keyserver or WKD

  • Keyservers (public): allow others to discover your key by email. Example command: gpg --keyserver keyserver.ubuntu.com --send-keys KEYID
  • .well-known/openpgpkey/ entries.

Step 5 — Verify your public key

  1. Print fingerprint (compare before trusting downloads from others): gpg --fingerprint KEYID
  2. Test encryption to yourself: echo "test" | gpg --encrypt --armor --recipient KEYID | gpg --decrypt
  3. Backup your private key and revocation certificate securely (offline/USB).

Best practices

- Prefer modern curves (Ed25519/Curve25519) or RSA ≥3072 bits if policy requires RSA.
- Set an expiration and rotate keys periodically; extend before expiry if needed.
- Protect your private key with a strong passphrase and store backups offline.
- Use subkeys for daily use; keep the primary key offline for identity and certification.

Troubleshooting

  • gpg: command not found → Install GnuPG as in Step 1 or ensure it’s in PATH.
  • Cannot choose ECC → Your distribution may lack modern defaults; update gpg to a recent version or use RSA 3072/4096.
  • Forgot passphrase → You can’t recover the private key; revoke it and create a new one. Always keep a revocation certificate.

Reference commands (quick copy)

# Generate key (guided)
gpg --full-generate-key

# List keys and fingerprints
gpg --list-keys --keyid-format LONG
gpg --fingerprint KEYID

# Export public key (ASCII)
gpg --armor --export KEYID > my-public-key.asc

# Publish to keyserver
gpg --keyserver keyserver.ubuntu.com --send-keys KEYID

# Encrypt a test message to yourself
echo "test" | gpg --encrypt --armor --recipient KEYID | gpg --decrypt

FAQ

What’s the difference between a public and private key?
Your public key can be shared with anyone to let them encrypt messages to you or verify your signatures. Your private key must remain secret; it decrypts messages and creates signatures.

Is ECC (Ed25519/Curve25519) compatible with everyone?
Most modern clients support ECC. For maximum compatibility with legacy systems, generate an additional RSA subkey or use RSA 3072/4096.

Can I change the key’s expiration later?
Yes. You can extend or shorten the expiry with your private key and passphrase. Recipients will see the updated expiry after you publish or share the updated public key.