How to Generate an OpenPGP Key using GnuPG
Requirements
In order to follow this procedure, ensure you meet with the following minimum requirements:
- An access to a linux terminal machine;
- The GnuPG package installed on the linux machine;
- The requirements to use to generate the OpenPGP key: Algorithm, strength ...
Generate a new OpenPGP key pair
Do you need to set a passphrase or not?
Whether or not you need to set a passphrase will depend on why you are making this keypair.1. Organization Account Recovery: In this case you want to set a passphrase.
2. Server GPG keys: In this case you do not want to set a passphrase.
Execute the following command to generate a new OpenPGP key pair.
gpg --full-generate-key
This command will run an interactive wizard that will help you define the key settings:
- Select the key type, by instance: RSA.
- If RSA was chosen, select the keysize, by instance for a strong key: 3072.
- Select the expiration time, by instance for "no expiry": 0. Note that key expiration is not well handled by passbolt, set an expiration date only if you know what you are doing.
- Confirm the key type information.
- Enter a name, by instance: Ada Lovelace.
- Enter an email, by instance: [email protected].
- Enter a comment, it is optional. It will only help you to identify a key in the keyring if similar name or email chosen.
- Confirm the key meta information.
- If you are creating an Organization Account Recovery key pair set a passphrase, if this is for the server GPG key pair do not set a passphrase
Once the key generated, the key will be stored in the keyring of the user you authenticated with and OpenPGP will output the details of the newly generated key.
public and secret key created and signed.
pub rsa3072 2022-08-04 [SC]
F5B94A730D636A18815046C1408B779FE1951A9A
uid Ada Lovelace <[email protected]>
sub rsa3072 2022-07-28 [E]
The output contains a 40 characters long identifier (F5B94A730D636A18815046C1408B779FE1951A9A) that represents the key fingerprint, note it down, it will be useful later to identify the key in the keyring.
Export an OpenPGP key pair
Export an OpenPGP public key
Execute the following command to export a public key having F5B94A730D636A18815046C1408B779FE1951A9A as fingerprint from the OpenPGP keyring into a file in armor format.
gpg --armor --export F5B94A730D636A18815046C1408B779FE1951A9A > public.key
Export an OpenPGP private key
Execute the following command to export a private key having F5B94A730D636A18815046C1408B779FE1951A9A as fingerprint from the OpenPGP keyring into a file in armor format.
gpg --armor --export-secret-keys F5B94A730D636A18815046C1408B779FE1951A9A > private.key