Skip to content

How to Generate a GPG Key Pair

DodaTech 2 min read

In this tutorial, you'll learn about How to Generate a GPG Key Pair. We cover key concepts, practical examples, and best practices.

The Problem

You need a GPG key pair to sign Git commits, encrypt files, or verify identities. Without a key, you cannot use GPG-based authentication or encryption.

Quick Fix

Step 1: Install GPG if missing

gpg --version

If not found:

sudo apt update && sudo apt install gnupg -y

Step 2: Generate a new key pair

gpg --full-generate-key

This starts an interactive wizard. Choose:

  1. Key type: 1 (RSA and RSA, default).
  2. Key size: 4096.
  3. Expiration: 0 (no expiry) or a specific duration.
  4. Real name: Your full name.
  5. Email address: The email tied to your GitHub/GitLab account.
  6. Comment: Optional (e.g., "Signing key").
  7. Passphrase: A strong passphrase to protect the private key.

Step 3: Generate non-interactively

gpg --batch --generate-key <<EOF
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: Your Name
Name-Email: you@example.com
Expire-Date: 0
Passphrase: your-passphrase
EOF

This is useful for automation or CI pipelines.

Step 4: List your keys

gpg --list-secret-keys --keyid-format=long

Expected:

sec   rsa4096/ABC123DEF456 2024-06-24 [SC]
      XXXX...XXXX
uid                 [ultimate] Your Name <you@example.com>
ssb   rsa4096/789GHI012JKL 2024-06-24 [E]

The ABC123DEF456 is your key ID. Copy it for the next step.

Step 5: Export the public key

gpg --armor --export ABC123DEF456

Expected:

-----BEGIN PGP PUBLIC KEY BLOCK----- ... -----END PGP PUBLIC KEY BLOCK-----


### Step 6: Export the private key (backup)

```bash
gpg --armor --export-secret-keys ABC123DEF456 > private-key.asc

Store this file in a secure, offline location. Without it, the key cannot be recovered.

Step 7: Share your public key

Add it to GitHub under Settings > SSH and GPG keys > New GPG key.

Step 8: Configure Git to use the key

git config --global user.signingkey ABC123DEF456
git config --global commit.gpgsign true

Now every commit is signed automatically.

Alternative Solutions

Use an existing key of a different type:

gpg --full-generate-key --key-type ed25519

Ed25519 is faster than RSA and produces smaller signatures.

Common Errors

gpg: no valid OpenPGP data found: The gpg-agent is not running. Start it with gpg-agent --daemon or restart with gpgconf --kill gpg-agent && gpgconf --launch gpg-agent.

Insufficient entropy: Key generation can hang waiting for random bytes. Install rng-tools on a headless server: sudo apt install rng-tools && sudo systemctl restart rng-tools.

Key expiry date passed: If your key expired, extend it: gpg --edit-key KEYID then run expire and set a new date.

Passphrase forgotten: If you lose the passphrase, the key is unrecoverable unless you created a revocation certificate. Always create one with gpg --gen-revoke KEYID.

Prevention

  • Back up the private key and revocation certificate immediately after generation.
  • Use a strong, memorizable passphrase — store it in a password manager.
  • Set an expiry date on keys used in production environments.
  • Revoke compromised keys immediately with gpg --gen-revoke.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro