GPG is software that is generally seen as difficult to use because it was used by typically tech-savvy people in the past. However, in recent years, especially when privacy concerns are on the rise, GPG has become an easy-to-use piece of software for computer users of all levels. It’s even easier now to create your own GPG key.
So what is a GPG key? How can you create one to encrypt your personal data?
What Is a GPG Key?
GPG is a free cryptographic tool. With GPG, you can perform operations such as encryption, signing, authentication, and creating a web of trust using asymmetric and symmetric tools. Today, GPG is available in many different places, from securing GNU/Linux package distributions to email encryption.
A Brief History of GPG
GPG started its software life as Pretty Good Privacy (PGP), written by Phil Zimmermann. PGP probably has one of the most inspiring stories in free software and freedom of knowledge.
The first version of PGP entered the world in 1991 when it was installed on Usenets, the widespread internet communication platform of the time. Various legal rules back then prohibited the import of software that worked with keys over 40 bits wide, so PGP was distributed by Zimmermann and some of his friends via payphones and acoustic replicators.
PGP was not free software, but Zimmerman didn’t charge fees for non-commercial use. He also distributed the source code of PGP with the software. This naturally caught the attention of the authorities, and Zimmermann was sued for violating military export law. The company that owns the license rights of the RSA algorithm used by PGP was also involved.
Zimmermann had an idea for the free use of PGP. Although the export of cryptographic tools was blocked by law, the freedom of opinion provision of the constitution protected the books published by individuals. In this context, Zimmermann has published the entire source code of PGP from the MIT publishing house, along with an OCR-compatible font. In this way, the book was distributed under constitutional protection and those who wished could scan the book and access the PGP.
Later, PGP was developed as free software under the leadership of the Free Software Foundation, under the name GnuPG, per the OpenPGP standard.
How to Generate GPG Keys
To use GPG, you must first have a GPG key and store it safely. GPG key generation varies depending on the hardware and operating system you are using. If your threat model is not especially high, and you just want to encrypt your basic correspondence for your own privacy, you can quickly and relatively securely generate GPG keys on all your devices using the methods below.
Generating a GPG Key With Kleopatra for Computers
For GNU/Linux distributions, there is a GnuPG client with a nice graphic interface. In this respect, Kleopatra, the key manager of the KDE desktop environment, is particularly useful as it is both cross-platform and offers the widest management options.
Depending on the operating system you are using, you can install Kleopatra using the following commands:
For Debian/Ubuntu (APT):
sudo apt-get install kleopatra\n
For Red Hat/Fedora (RPM):
sudo yum install kleopatra\n
You can download the Gpg4win program for Microsoft Windows and install it on your system.
After the installation is complete, run Kleopatra as you wish.
Kleopatra has almost the same interface no matter which operating system you use. The screenshots below are from a Kleopatra installed on a Debian distribution; however, they should still be recognizable if you are using a different operating system.
When you open Kleopatra, you will see a screen like this:
To generate your first key, you can click on the File menu and use the New key pair option. Click Generate personal OpenPGP key pair from the drop-down menu and continue.
Kleopatra will ask you for your name and email address. You do not have to give accurate information here, but GnuPG establishes people’s identities. This key means that people who know you trust you, so you can prove that the transactions you make with this key belong to you. For this reason, you should use real information. In any case, there is nothing that prevents you from changing this information as you wish.
Click on Advanced Settings and you will see some technical data about your key. The “Key Material” section has the type and size of the key you will use. It is important for the future of your key that you increase the RSA key size to the maximum 4096 bits. Also, if you are going to use SSH with your key, you can continue by checking the Authentication box. The validity period, on the other hand, ensures that your key becomes unusable after a certain date in case you lose it. When that date comes, you can renew your key again. It depends on your preference but two or three years is ideal.
Click OK after making the adjustments. When you return to the “Enter Details” page, click the Next button. When the “Review Parameters” page opens, click tCreate. Kleopatra will ask you for a password. This password is required to encrypt your key, and is responsible for the security of your entire key. That’s why you should use a strong and unpredictable password.
After entering your password, the process may take a few minutes depending on the capacity of your device and the source of randomness.
If you see the above screen, it means you have created your key. At this stage, you can take a backup of your key.
If you want to use your key for email correspondence, you can send it to key servers by clicking Upload Public Key to Directory Service. That way, you can ensure that anyone can send you encrypted emails.
However, there is a very important detail that you shouldn’t forget. The keys you upload to the key server will stay on there forever. Do not send the key to the servers until you are sure that you will use your key or that you have what it takes to revoke it. If you do not have the secret key, password, or revocation certificate, the keys on the server remain valid until the expiration date.
How to Generate a GPG Key for Android Devices
It is much easier to use GnuPG on Android operating systems. You can use the free software OpenKeychain for this. With this application, you can easily perform GnuPG operations and provide key management.
First of all, download the OpenKeychain software for the Android mobile operating system and install it on your phone. OpenKeychain will give you some options for key usage. From here, proceed by selecting the Create My Key option.
OpenKeychain will ask you for your name or username. You don’t have to give your real name here. However, you may want to provide real information to prove that the transactions you will make with the key you create belong to you. Regardless, you can change this information later.
In the next step, OpenKeychain will ask you to enter your email address. You can add or remove new addresses later if needed.
Before generating your key, there is an option to Publish on keyservers at the stage where your name and email are displayed. If you are going to use your key for email correspondence, you can continue by ticking this option.
But remember, the keys you upload to the keyserver will stay on the servers forever. So unless you have the secret key, password, or a revocation certificate to use to revoke your key, the keys on the server will remain valid until the expiration date.
Now you can start creating your key by clicking the Create Key button. After your device has done the necessary operations, you will see your key on the main page of OpenKeychain.
Why Should I Generate My Own GnuPG Key?
Your conversations about your job, emails with banks, money transfers, or the secret codes of the project you are working on are not safe. However, with methods such as GnuPG, it is possible to protect all these in the best way you can. You can encrypt as many files as you want with the GnuPG key you have created.
Security,Encryption,Online Security,Online Privacy,Privacy Tips