How to Generate a GPG Key Pair
In this tutorial, you'll learn about How to Generate a GPG Key Pair. We cover key concepts, practical examples, and best practices.
The Problem
You need a GPG key pair to sign Git commits, encrypt files, or verify identities. Without a key, you cannot use GPG-based authentication or encryption.
Quick Fix
Step 1: Install GPG if missing
gpg --version
If not found:
sudo apt update && sudo apt install gnupg -y
Step 2: Generate a new key pair
gpg --full-generate-key
This starts an interactive wizard. Choose:
- Key type:
1(RSA and RSA, default). - Key size:
4096. - Expiration:
0(no expiry) or a specific duration. - Real name: Your full name.
- Email address: The email tied to your GitHub/GitLab account.
- Comment: Optional (e.g., "Signing key").
- Passphrase: A strong passphrase to protect the private key.
Step 3: Generate non-interactively
gpg --batch --generate-key <<EOF
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: Your Name
Name-Email: you@example.com
Expire-Date: 0
Passphrase: your-passphrase
EOF
This is useful for automation or CI pipelines.
Step 4: List your keys
gpg --list-secret-keys --keyid-format=long
Expected:
sec rsa4096/ABC123DEF456 2024-06-24 [SC]
XXXX...XXXX
uid [ultimate] Your Name <you@example.com>
ssb rsa4096/789GHI012JKL 2024-06-24 [E]
The ABC123DEF456 is your key ID. Copy it for the next step.
Step 5: Export the public key
gpg --armor --export ABC123DEF456
Expected:
-----BEGIN PGP PUBLIC KEY BLOCK----- ... -----END PGP PUBLIC KEY BLOCK-----
### Step 6: Export the private key (backup)
```bash
gpg --armor --export-secret-keys ABC123DEF456 > private-key.asc
Store this file in a secure, offline location. Without it, the key cannot be recovered.
Step 7: Share your public key
Add it to GitHub under Settings > SSH and GPG keys > New GPG key.
Step 8: Configure Git to use the key
git config --global user.signingkey ABC123DEF456
git config --global commit.gpgsign true
Now every commit is signed automatically.
Alternative Solutions
Use an existing key of a different type:
gpg --full-generate-key --key-type ed25519
Ed25519 is faster than RSA and produces smaller signatures.
Common Errors
gpg: no valid OpenPGP data found: The gpg-agent is not running. Start it with gpg-agent --daemon or restart with gpgconf --kill gpg-agent && gpgconf --launch gpg-agent.
Insufficient entropy: Key generation can hang waiting for random bytes. Install rng-tools on a headless server: sudo apt install rng-tools && sudo systemctl restart rng-tools.
Key expiry date passed: If your key expired, extend it: gpg --edit-key KEYID then run expire and set a new date.
Passphrase forgotten: If you lose the passphrase, the key is unrecoverable unless you created a revocation certificate. Always create one with gpg --gen-revoke KEYID.
Prevention
- Back up the private key and revocation certificate immediately after generation.
- Use a strong, memorizable passphrase — store it in a password manager.
- Set an expiry date on keys used in production environments.
- Revoke compromised keys immediately with
gpg --gen-revoke.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro