A PGP key is an encryption key with two main parts:
The owner of the key pair is the only individual that should have access to the Private Key, at any time.
A Public Key can be posted anywhere.
When someone wants to send you a secret message, or file, they can use your public key to generate cipher text.
Only the Private key can decrypt that cypher text.
GNU Privacy Guard (GPG) can be used to do PGP activities (Pretty Good Privacy).
gpg is most likely already installed on your distro. It should come with homebrew on Mac, or install with brew install gnupg.
Fast Way To Generate A Secure Key
# make a key pair, follow the prompts
# export the public key to txt
gpg --output public-key.txt --export --armor 'johndoe@localhost'
Long Way (Bigger Key Size 4096, More Secure)
Generate a full key (public and private).
Choose RSA + RSA
RSA and RSA
Choose a keysize of 4096 bits
Choose an expiry time of two years
Enter your name, or alias, and email address.
You will be asked to set a passphrase.
This is a password for the private key.
So, even if someone has the private key, they still need to password to use it.
You’ll need to enter this password anytime you want to decrypt messages.
Make a big password, but one that you will remember.
If you forget this passphrase, it is virtually impossible to use your keys again.
A typical key lifespan is two years. It is not recommended to make a key that will never expire.
If the password is too small, someone can brute force entry into the private key (they still need the key in the first place).
gpg: key 7BB47A69CE91569C marked as ultimately trusted
gpg: revocation certificate stored as '~/.gnupg/openpgp-revocs.d/4FFF1CFF1D52EF7D86F82C277BB47A69CE91569C.rev'
public and secret key created and signed.
pub rsa4096 2020-12-17 [SC] [expires: 2022-12-17]
uid Jane Doe
sub rsa4096 2020-12-17 [E] [expires: 2022-12-17]
This key was named on the local machine as
For the above key, the public fingerprint is
The public fingerprint is sometimes stored like this:
4FFF 1CFF 1D52 EF7D 86F8 2C27 7BB4 7A69 CE91 569C
The fingerprint is not used to sign messages, you need the entire public key:
Exporting The Public Key
Show your keys:
You can refer to the key you just made in multiple ways:
# these are all the same
gpg --output public-key.txt --export --armor janedoe@localhost
gpg --output public-key.txt --export --armor 7BB47A69CE91569C
# public signature
gpg --output public-key.txt --export --armor 4FFF1CFF1D52EF7D86F82C277BB47A69CE91569C