How to Generate and Use PGP Keys
In this article you will learn what a PGP key pair is, how to generate one, and how to copy and paste your PGP public key into a social media profile. Satoshi Nakamoto has one, Gavin Andresen has one (as do most bitcoin developers), and even Star Trek’s Will Wheaton has one. Why? Signing a message with a PGP key prevents impostors from pretending they are you, and when someone sends a message encrypted with your PGP key, only you can read it.
A Quick Background on PGP
PGP stands for “Pretty Good Protection” and is a method of encrypting and verifying digital information such as emails, text messages, and other documents. For instance, most darknet markets require that their members provide a PGP public key upon registration of their account in the case that sensitive messages need to be sent from one member to another. The signing of such a message involves the sender using the public key of the recipient to encrypt the message. The recipient then uses their private key to decrypt the message.
Thus, there are 2 keys generated during the PGP key creation process: public and private. The public key is the one you will want to share with others (thus the name “public key”). There are several different ways to generate PGP key pairs; in this article we will be using a program called Gpg4win, also known as Kleopatra.
Step-by-Step Instructions for Generating Your Own PGP Keys
1. First, visit the Gpg4win website to begin downloading the program.
While downloading gpg4win is free, you will be presented with a few different donation options to donate money or bitcoin to the developer. If you wish to bypass the donation process, simply click the big blue “$0” as a donation amount option to make the blue “Download” button appear beneath the donation text. Click it to begin downloading the program.
2. After the gpg4win has finished downloading, double click it to begin the installation process. After the installer opens, click “Next” to continue. You will be presented with a list of components to be installed. Note that the “GPA” option is unchecked by default. Check this option before clicking “Next” to proceed (the “Browser integration” option is not necessary to install).
3. The next screen will then ask you where you want the program to be installed. By default, the directory path should say C:\Program Files\Gpg4win. Install the program in the default Program Files folder option.
4. After the installation has finished, click “Next,” and then “Finish” with the “Run Kleopatra” box checked (it is checked by default). You will now be presented with the main screen of the Kleopatra program. From here, click the big “New Key Pair” box in the middle of the screen to generate your PGP keys.
5. You are then brought to the Key Pair Creation Wizard screen. Though the word “(optional)” is written next to both Name and Email fields, you will need to provide at least 5 characters in the Name field in order to generate a PGP key pair that can be connected to your online identity. For the purposes of creating PGP keys for online accounts, you do not need to use the same name as your accounts, but you can if you wish.
Note that a key pair is only valid for 2 years under the default option. You can increase or decrease the length of time for which your keys are valid by clicking on the “Advanced Settings” button and adjusting the Valid until field (uncheck the box next to the field if you want your keys to never expire). You do not need to adjust the other settings when creating PGP keys for basic purposes. After you have entered your PGP account name, press “Next” and then “Create” to generate your key pair.
6. You will then be asked to create a pass phrase of at least 10 letters to secure your keys. Be sure to create a pass phrase you won’t forget. Write it down somewhere in case you need to access it later. Without it, you will not be able to sign and decrypt future messages. After doing this and entering in the same pass phrase twice, click “OK” to continue.
7. After the key pair has been successfully created, press “Make a Backup Of Your Key Pair” under the words Next Steps.
Save the file in a folder where you will remember where it is (the file name will be a long string of characters, this is known as your “PGP fingerprint”). After the file has been saved, you will be brought back to the Key Pair Creation Wizard, then press “Finish.”
8. You will then be brought back to the Kleopatra home screen which displays your newly created key pair name. To access your public key (the one you will be posting into your account or sharing with others), right-click the field with the key pair name and press “Details” at the bottom of the menu.
9. Next, press the “Export” button. This will bring up the contents of your public key.
10. Click anywhere in the box of text, select all (ctrl+a) and copy (ctrl+c) the entire contents. This is your PGP public key, and what you will be pasting for online verification purposes. Paste (ctrl+v) it into a text document and save it in a place where you will remember where it is.
That’s it. You’ve now created your own PGP public key.
Posting your Public PGP Key On the Internet
When you are ready, you can copy and paste your entire public key into the corresponding field on your social media (or other) account. It usually looks like this:
It is important to remember that your public key will always start with the words:
—–BEGIN PGP PUBLIC KEY BLOCK—–
And end with the words:
—–END PGP PUBLIC KEY BLOCK—–
It will basically look like this when correctly filled:
After entering your public key, scroll down to the bottom of the screen and save your changes. Your PGP public key is now saved as part of your account profile and will be visible to the public.
How to Sign Text Using your PGP Keys
Thanks to Kleopatra, the process is actually quite simple. In order to sign text using your PGP private key, simply copy and paste the text you wish to sign into your clipboard. Then, under the Tools menu, go down to the Clipboard option, and select OpenPGP-Sign.
Make sure you are signing with the correct certificate (account), click “OK” and then “Next.”
A message will appear that says “Signing succeeded.” Your signed text will now be available in your clipboard. It will look something like this, with the original text message in the top portion and the signed message underneath:
Now, others who have your PGP public key will be able to verify that your message indeed came from you, and not an impostor. You can also import the public keys as text files from others into Kleopatra and verify their signatures using the Decrypt/Verify option in the File portion of the program menu. The easiest way to do this is to drag and drop the public key-containing text file into Kleopatra and selecting the Import Certificates option. Then drag and drop the message to be verified belonging to the PGP public key you just imported, select Decrypt/Verify, and voilà, the message is then verified.