RandomKeygen

PGP/GPG Key Generation

Demo Only

PGP keys should always be generated locally using GPG. This page provides guidance for secure key generation and management.

Never generate PGP keys online

PGP private keys contain your cryptographic identity and must be generated on your local machine. A compromised private key allows attackers to decrypt your messages and forge your digital signature.

Use GnuPG (GPG) on your local system to generate keys securely.

Install GPG

macOS (Homebrew)

$brew install gnupg

Debian/Ubuntu

$sudo apt install gnupg

Fedora/RHEL

$sudo dnf install gnupg2

Generate a Key Pair

Interactive key generation (recommended)

$gpg --full-generate-key

Quick Ed25519 key generation

$gpg --quick-generate-key 'Your Name <[email protected]>' ed25519 cert

Quick RSA 4096-bit key

$gpg --quick-generate-key 'Your Name <[email protected]>' rsa4096 cert

Key type recommendations

  • Ed25519/Curve25519: Modern, fast, and secure. Best for new keys.
  • RSA 4096: Widely compatible. Use for maximum interoperability.
  • Key expiration: Set to 1-2 years, can be extended later.

View & Export Keys

List all public keys

$gpg --list-keys

List your private keys

$gpg --list-secret-keys

Export public key (ASCII)

$gpg --armor --export [email protected]

Export public key to file

$gpg --armor --export [email protected] > publickey.asc

Backup private key (keep secure!)

$gpg --armor --export-secret-keys [email protected] > privatekey.asc

Example Public Key

Your exported public key will look similar to this:

publickey.asc (example)
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZQxxxxxBCADxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxzQ
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
=xxxx
-----END PGP PUBLIC KEY BLOCK-----

Publish to Key Server

Upload to default key server

$gpg --send-keys YOUR_KEY_ID

Upload to keys.openpgp.org

$gpg --keyserver hkps://keys.openpgp.org --send-keys YOUR_KEY_ID

Configure Git Signing

Find your key ID

$gpg --list-secret-keys --keyid-format=long

Set signing key

$git config --global user.signingkey YOUR_KEY_ID

Enable automatic signing

$git config --global commit.gpgsign true
~/.gitconfig
[user]
    name = Your Name
    email = [email protected]
    signingkey = YOUR_KEY_ID

[commit]
    gpgsign = true

[gpg]
    program = gpg

PGP key best practices

  • Always use a strong passphrase for your private key
  • Create a secure backup of your private key and revocation certificate
  • Set a reasonable expiration date (1-2 years) and extend as needed
  • Use subkeys for everyday tasks; keep your primary key offline
  • Create a revocation certificate immediately after key generation
  • Consider using a hardware security key (YubiKey, etc.) for enhanced security