Getting Started with PGP Key Generation
Creating your own PGP key pair is the first practical step toward encrypted communication. This module will guide you through the process using Secure Mail Client, which simplifies many of the technical aspects while maintaining strong security standards.
Note
While we recommend using Secure Mail Client for its seamless integration and user-friendly interface, we'll also cover the standard command-line approach for those who prefer it or need to use it in certain environments.
Before You Begin: Important Considerations
Before generating your keys, there are several important decisions to make that will affect your encryption setup for years to come:
Key Strength
PGP keys can be generated with different levels of cryptographic strength, measured in bits. Higher bit-length means stronger encryption but slightly slower operations.
2048 bits
Minimum acceptable strength
- ✓ Faster operations
- ✓ Compatible with all systems
- ✗ May become vulnerable sooner
4096 bits (Recommended)
Strong security with good performance
- ✓ Very secure against current methods
- ✓ Long-term protection
- ✓ Well-supported
8192+ bits
Highest security but with tradeoffs
- ✓ Maximum security margin
- ✗ Slower operations
- ✗ Limited compatibility
Our recommendation: Use 4096-bit RSA keys for an optimal balance of security and usability. Secure Mail Client defaults to this setting.
Key Expiration
Setting an expiration date for your key is an important security practice. It ensures that if you lose access to your private key or it becomes compromised, the key will eventually become invalid.
Tip
Set an expiration date of 1-2 years.
You can always extend this date later if needed, but having an expiration provides protection if you lose access to your key.
Secure Mail Client sets a default expiration of 2 years, which is a good starting point for most users.
Email Identity
Your PGP key will be associated with your email address as your digital identity. Consider:
- Which email address you want to use (you can add multiple addresses to a key)
- Whether to use your real name or a pseudonym (depending on your privacy needs)
- Whether this key is for personal or professional use
Passphrase
Your private key will be protected by a passphrase. This is a critical security element:
Passphrase Requirements
- Strong: Use a long phrase with mixed character types
- Memorable: You must be able to remember it without writing it down
- Unique: Don't reuse passphrases from other services
- Private: Never share your passphrase with anyone
Security Alert
If you forget your passphrase, you will permanently lose access to your private key and all messages encrypted to it.
This is by design - it's a security feature that prevents others from accessing your encrypted data, but it also means there's no "forgot password" option.
Generating Keys with Secure Mail Client
Secure Mail Client provides a straightforward interface for generating your key pair:
- 1
Launch Secure Mail Client
Open the application from your system
- 2
First-time setup
The application will detect you have no keys and offer to create one
- 3
Enter your information
Provide your name, email address, and any additional email addresses you want to associate with this key
- 4
Key settings (Advanced)
You can accept the defaults (4096-bit RSA, 2-year expiration) or customize these settings
- 5
Create a strong passphrase
Enter a passphrase that you can remember but would be difficult for others to guess
- 6
Generate your key
Click "Generate Key" and wait while the application creates your key pair
- 7
Backup reminder
The application will prompt you to create a backup of your key
That's it! You now have a PGP key pair ready to use with Secure Mail Client. Your public key can be shared with others, while your private key remains securely stored on your device, protected by your passphrase.
Generating Keys with GnuPG (Command Line)
If you prefer using the command line or need to generate keys in an environment without a graphical interface, GnuPG (GPG) is the standard tool:
Installing GPG
First, ensure you have GnuPG installed on your system:
Windows
Download and install Gpg4win
macOS
brew install gnupg
Linux
sudo apt install gnupg
Key Generation Command
Once GPG is installed, you can generate a key pair with the following command:
gpg --full-generate-key
This will start an interactive process where you'll make several choices:
- Key type: Select RSA and RSA (default)
- Key size: Enter 4096
- Expiration: Enter "2y" for a two-year expiration
- User ID: Enter your name and email address
- Passphrase: Create and confirm a strong passphrase
GPG will then generate random data to create your key, which may take a minute or two depending on your system.
Verifying Your New Key
After generation completes, you can verify your key was created:
gpg --list-keys
You should see output similar to:
pub rsa4096 2025-04-08 [SC] [expires: 2027-04-08]
AB12CD34EF56GH78IJ90KL12MN34OP56QR78ST90
uid [ultimate] Your Name <[email protected]>
sub rsa4096 2025-04-08 [E] [expires: 2027-04-08]
Your key ID is the long hexadecimal string (here represented as AB12CD34EF56GH78IJ90KL12MN34OP56QR78ST90).
Exporting Your Keys
To share your public key with others or back up your keys, you'll need to export them.
Exporting Your Public Key
In Secure Mail Client, you can export your public key from the Key Management section. For command-line users:
# Replace KEY_ID with your actual key ID or email
gpg --armor --export [email protected] > my_public_key.asc
This creates a file called my_public_key.asc containing your public key in a text format that can be easily shared.
Tip
You can share your public key via:
- Email attachment
- Uploading to a key server
- Publishing on your website or social media profiles
- Sharing through a QR code (supported by some applications)
Backing Up Your Private Key (Important!)
You should create a backup of your private key and store it in a secure location. If your device is lost or damaged, this backup will be essential for recovering your encrypted communications.
In Secure Mail Client, use the built-in backup feature. For command-line users:
# Replace KEY_ID with your actual key ID or email
gpg --armor --export-secret-keys [email protected] > my_private_key.asc
Security Alert
Critical security warning:
Your exported private key file must be stored with extreme care. Anyone who obtains this file could potentially access your encrypted communications if they can guess or obtain your passphrase.
Consider storing the backup on an encrypted USB drive kept in a secure physical location, or using a secure password manager that you trust.
Creating a Revocation Certificate
A revocation certificate allows you to invalidate your key if it's ever compromised or lost. Think of it as an "emergency brake" for your key.
Secure Mail Client creates this automatically. For command-line users:
# Replace KEY_ID with your actual key ID or email
gpg --output revocation-cert.asc --gen-revoke [email protected]
Store this certificate in a secure but different location from your private key. If both are stored together and compromised, an attacker could both use your key and revoke it.
Next Steps
Congratulations! You've successfully created your PGP key pair, the foundation of your encrypted communication system. In the next module, we'll cover how to integrate your new keys with email clients and begin using them for secure communications.
Key Takeaways
- Use 4096-bit RSA keys for strong security
- Always set an expiration date for your keys
- Use a strong, memorable passphrase to protect your private key
- Export and securely back up both your public and private keys
- Create and store a revocation certificate for emergencies