Creating and Sharing a PGP Key

For Beginners


OpenPGP is a standard that is implemented by several applications. There is the PGP application, which is commercial, but one of the most common is GPG (Gnu Privacy Guard) which is what we'll be using in this how-to.

Install GPG

How you install GPG is largely system-specific. The main thing to note is that you should be installing a fairly current version of GPG. You want at least GPG 2.1.

If your operating system's package manager doesn't provide a version of GPG that is at least 2.1, you can download a binary distribution from

Package Installs

Here are the package install commands for some common OSes.

% sudo apt-get install gnupg
% sudo yum install gnupg
Mac OS
% brew install gpg

Check The Version of GPG

Check that you've got at least GPG 2.1. Your input is in blue, below. The output of gpg is in bright white.

jane@keyparty:~ 9:28:38 (38) % gpg --version gpg (GnuPG) 2.1.18 libgcrypt 1.7.6-beta Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

If it's not 2.1 or later, go back and download a binary distribution to install.

Create a New Key

Run gpg and create a key.

jane@keyparty:~ 9:30:15 (39) % gpg --generate-key gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: Jane Doe Email address: You selected this USER-ID: "Jane Doe <>" Change (N)ame, (E)mail, or (O)kay/(Q)uit?

Set a Passphrase

When you say Okay to your entries, you'll be asked to enter a passphrase. Choose a strong, but easy to remember passphrase and set it.

REMEMBER: if someone gets a copy of your key, this passphrase is the only thing between them and their ability to impersonate you or read all of your encrypted email!

Also remember, if you forget this passphrase, you will lose access to your key.

Key Generation and Entropy

Once you set a passphrase, GPG will begin generating your key. To do this, it needs a large amount of entropy, or randomness, in order to generate some good large prime numbers. This may take a while, and GPG may ask you to create some activity on your computer in order to help its random number generator.

A note about Algorithms and Expiry

The default key generation option doesn't let you set the expiry date of your key, or the algorithm, or key size. If you want to set these things you'll need to declare yourself an expert using the --full-generate-key option.

Use Caution!

If you change anything from the defaults, be sure you know why you're doing it and what effect it might have.

Don't pick an expiry date too far in the future, don't make your key size too small, and don't pick an algorithm that nobody else can make use of!

Your New Key

Once GPG is done generating your key it will show you the new key's details, and exit.

pub rsa2048 2018-10-12 [SC] [expires: 2020-10-11] BF5FDD3050025BA09A4AA8E4D3510260A0B75CB6 BF5FDD3050025BA09A4AA8E4D3510260A0B75CB6 uid Jane Doe <> sub rsa2048 2018-10-12 [E] [expires: 2020-10-11]


The long hex string in the key info is your key's fingerprint. You can also get that in an easier-to-read format by explicitly asking for it.

jane@keyparty:~ 9:32:12 (40) % gpg --fingerprint pub rsa2048 2018-10-12 [SC] [expires: 2020-10-11] BF5F DD30 5002 5BA0 9A4A A8E4 D351 0260 A0B7 5CB6 uid [ultimate] Jane Doe sub rsa2048 2018-10-12 [E] [expires: 2020-10-11]

Exporting Your Key

Extract an ASCII text file that contains your public key.

jane@keyparty:~ 09:34:01 (41) % gpg -a --export -o

The -a option causes GPG to output ASCII instead of binary data. The -o option specifies an output file.

Email Your Extracted Key

Email the output file as an attachment to by 09:00 Friday morning.

It's important to send the file as an attachment, because some mail clients can cause formatting problems with the key data that make it hard to import.

Don't be late, or your key won't be included!

Download The Keyring

Just before morning break on Friday, everyone's keys will be posted as a single export file in the Indico agenda for the key signing at

Download this key file (keyring.asc) and its checksum file (keyring.md5). We'll make an announcement when these files are ready to be downloaded.

Confirm your Key

You'll need to take a few steps to confirm that the fingerprint for your key in the exported keyring is correct. It's important that you verify that it's your key in the keyring!

First, import the keyring into an alternate keyring file in gpg.

jane@keyparty:~ 09:34:01 (41) % gpg --no-default-keyring --keyring ./oarc31 --import keyring.asc

Verify your Fingerprint

Compare the fingerprints from your standard keyring with the one you just imported.

jane@keyparty:~ 09:34:01 (41) % gpg --fingerprint pub rsa2048 2018-10-12 [SC] [expires: 2020-10-11] BF5F DD30 5002 5BA0 9A4A A8E4 D351 0260 A0B7 5CB6 uid [ultimate] Jane Doe sub rsa2048 2018-10-12 [E] [expires: 2020-10-11]
jane@keyparty:~ 09:34:01 (41) % gpg --no-default-keyring --keyring ./oarc 31 --fingerprint pub rsa2048 2018-10-12 [SC] [expires: 2020-10-11] BF5F DD30 5002 5BA0 9A4A A8E4 D351 0260 A0B7 5CB6 uid [ultimate] Jane Doe sub rsa2048 2018-10-12 [E] [expires: 2020-10-11]

Join Us At The Key Signing!

Now all you need to do is show up at the key signing, on Friday during lunch. We'll be in the plenary room (where the rest of the conference has been) at 13:10.

Bring with you:

  • your laptop with the export keyring on it
  • some ID that others who do not know you can trust (e.g. your passport).
  • a pen and paper, or some other way to take notes

What to Expect

We will do three things during the key signing:

  1. Everyone will check that they have the correct keyring file
  2. Everyone will introduce themselves and declare which key in the keyring is theirs, and whether the fingerprints match their key.
  3. Everyone will have an opportunity to verify the ID of anyone they don't already know personally

Verifying the Keyring

We will post a checksum of the keyring file on the screen. Generate an md5 cheksum of the keyring.asc file you downloaded and make sure it matches.

Verifying Keys

Everyone will state which key is theirs in the keyring (usually by calling out an email address in the key ID) and will state whether the fingerprint in the downloaded file is correct.

Use the paper or note taking app you brought to take notes!

Verifying Identities

We'll form a sports "handshake circle" for everyone to check ID. Confirm that the people whose keys you're signing are who they say they are!

And that's it!

That completes the face to face portion of the key singing party!

Everyone can go home and sign keys, then email the signed keys back to their owner, at their leisure.

Watch this space for some instructions on using caff to automatically sign keys!