Howto setup your GnuPG (GPG) keys

I wanted to set up a working GPG configuration to be able to send encyrpted and/or signed emails.

What I did

If you don't have any keys yet then you have to generate a new one. This needs some random data so take your time (took about 8 minutes on my netbook which lets me think that it really waits for some random data from different sources).
Open a terminal and type:
gpg --gen-key


You will be asked for your identity (name and email address you want to use). You may add more identities later, but note that all identities you associate with this key will always be associated with it. Revoking identities does not remove them, it only invalidates them.


Now check your new key:
gpg --list-keys

Your key will have a short ID, let's assume its ABCD1234 in this example, and your name is Trent Reznor. Let's make some backup files now by exporting your keys to some text files. I don't need to say that you have to handle your private keys and your revocation certificates with care!
If you want to use your keys for your lifetime time it's a good idea to print them on paper and store them in a safe location. Do NOT share your private key nor your revocation certificate.


# To add more identities/mail addresses
gpg --edit-key 
> adduid

# This is the file you want to share with others!
gpg --output pubkey_ABCD1234.Trent.Reznor.ascii --armor --export ABCD1234


# Now create a revocation certificate.
# The purpose of the revocation certificate is to have a safe key that allows
# yout to invalidate keys you once uploaded to any key server.
gpg --output revocation_cert_ABCD1234.Trent.Reznor.ascii --gen-revoke ABCD1234

gpg --output privkey_ABCD1234.Trent.Reznor.ascii --armor --export-secret-keys ABCD1234




Now publish your new key to a key server.
heise.de recommended pool.sks-keyservers.net, which seems to be a distributed service.
# Send key to a public server, in this case
gpg --keyserver pool.sks-keyservers.net --send-key 0xABCD1234


If you made some mistakes just remove your identities and run an update.



This happened to me: I had my 'primary identity' and added some email addresses of my 'secondary identity'. I uploaded my key to a key server and now my identities (I wanted to separate) will _always_ be associated with each other :(
Revoking my keys will not remove this part of information. It will only be invalidated but still visible to everyone (and marked as revoked). So carefully choose the identities you want to use with your key. If unsure create more keys for other identities.

To make changes:
# To remove Identities from the key
# Note that your keys change then!
gpg --edit-key 
> revuid

# Then update your certs by revoking them (use your revocation certificate)
gpg --import revocation_cert_ABCD1234.ascii 

# And update the modified keys on the server
gpg --keyserver pool.sks-keyservers.net --refresh-keys ABCD1234
# OR
gpg --keyserver pool.sks-keyservers.net --send-keys 0xABCD1234



Use your keys to encrypt and/or sign emails

# Now install enigmail
sudo apt-get install enigmail


# Enigmail: attach public key
#           sign public key (don't forget to check fingerprint!)
# (to display fingerprint:)
gpg --fingerprint 



Edit 2016-02-18

Export public key as ASCII text file:
  gpg -a --output <filename/rsa_pub.ascii> --export ABCD1234
Export public key as binary text file:
  gpg --output <filename/rsa_pub> --export ABCD1234

Export private key as ASCII text file (do NOT share):
  gpg -a --export-secret-keys ABCD1234 > <filename/rsa.ascii>
Export private key as binary text file (do NOT share):
  gpg --export-secret-keys ABCD1234 > <filename/rsa>