Generate your private key
Open up Terminal on Tails and type
sudo gpg2 --gen-key.
sudohere, as we need to use
sudoto interact with the
OpenPGP Smart Cardand the gpg keyring is seperate for
[email protected]:/~$ sudo gpg2 --gen-key
Tails will lecture you about using
sudo. Read it and understand here be dragons.
We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility.
Enter in the
root password you set when you configured the pre-launch wizard for Tails
(you'll need this password quite a lot).
[sudo] password for amnesia: gpg (GnuPG) 2.0.25; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: keyring `/root/.gnupg/pubring.gpg' created
Your new keyring has just been created (this is where PGP stores it's keys). Now we need
to choose what type of key we are generating.
Because this is going to be a long term offline
private key, and we are going to use
subkeys for day to day use, we want to select `4 RSA (sign only).
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 4
Now you get to choose the length of you're
private key, you need to select at least
If for some reason I haven't updated this and the accepted wisdom is to use higher than 4096, do that. The only cost of using a larger key is it takes a bit longer to use. However smaller keys are almost exponentially quicker to brute force. So as computing power increase we increase our key sizes to ensure they cannot be brute forced.
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits
Next up how long should this key last for?
Well ideally it's your long term offline
private key, so it should never expire. If you remain a good steward of this
key, you should be able to use it for the extent of your natural life.
Set this to
0 so it does not expire, and then type
y at the next prompt to confirm your choice.
Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y
Now we get to add the
user ID to your key. This is the primary way other than the
fingerprint that your key can be
identified, it's commonly used when searching for a key. Set this to your primary email. If this is a personal key, use a
personal email. First though enter your full name.
If you need to ensure this key cannot be connected to you, make sure you never enter any identifiable information here, and make something up.
GnuPG needs to construct a user ID to identify your key. Real name: Owen Kelly Email address: [email protected] Comment: You selected this USER-ID: "Owen Kelly <[email protected]>"
Then type the letter
O to confirm is the above is correct, or you can change the information if you entered it wrong.
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
diceware passphrase you created?
You'll see a popup outside of terminal. Enter your
diceware passphrase here. This encrypts your private key with your
diceware passphrase. You will need to enter this passphrase everytime you need to decrypt the private key
to perform an operation (that is, sign something).
You need a Passphrase to protect your secret key.
Now we're about to actually start generating the key. As the message says, the computer needs to capture as much entropy as possible. Think of it as similar to randomness, it's what makes the key less predictable. A predictable key is a crackable key.
Basically, move your mouse and type on the keyboard (don't hit
ctrl-c though you'll cancel the key generation).
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 2F95015B marked as ultimately trusted public and secret key created and signed.
The key has been generated!
gpg will automatically trust the key, and report back information about the key.
This information is public, thus okay to share. The key you see below is my actual keypair.
gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 4096R/2F95015B 2016-01-19 Key fingerprint = 24E7 19D9 E009 27E9 C5CF 1423 A002 84BB 2F95 015B uid [ultimate] Owen Kelly <[email protected]> Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose.
Not the last message above, that the key cannot be used for encryption. This is because we chose only to allow our
private key to sign other keys. This is the perfect model for using subkeys.
Take note of the line
pub 4096R/2F95015B 2016-01-19.
pub refers to this being your
4096R/ is your key's
fingerprint. In this example my
fingerprint for my
public key is
Note this down or remember it. It's public information (so no need to keep it secret) and it serves as a quick ID for
the key. You'll need to use it a bit when working with this key.