• Last updated: 2024-4-10
• Last verified: (n/a)

Install GnuPG

Macports (marked obsolete in 2024-4 but became obsolete long before then)

$ sudo port install gnupg
<snip>
$ which gpg
/opt/local/bin/gpg

There is also a gnupg2 which provides S/MIME support and gpg-agent and extended smartcard support.

$ sudo port install gnupg2

Homebrew

$ brew install gnupg

Generate public and private keys

Using --full-generate-key

gpg --full-generate-key

Generating key en mass without interactive UI

Generate key en mass or without interactive UI:

((find /Applications/ | xargs file) &> /dev/null &); gpg --generate-key --pinentry-mode loopback --batch --yes --passphrase-file ./passphrase.txt generate-key-options.txt

(2024-4 update: Less recommended than --full-generate-key) Using --gen-key

$ gpg --gen-key
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Foo Bar
Email address: foo@bar.com
Comment: 
You selected this USER-ID:
    "Foo Bar <foo@bar.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..........+++++
..+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
................+++++
...+++++
gpg: /home/usr1/foo/.gnupg/trustdb.gpg: trustdb created
gpg: key 306807EF marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/306807EF 2011-06-05
      Key fingerprint = 4D7E 594E 626D A51E 87C7  0419 704A 04B0 3068 07EF
uid                  Foo Bar <foo@bar.com>
sub   2048R/A793EF59 2011-06-05

$

Insufficient entropy to generate keys

(c.f. https://serverfault.com/posts/892713/revisions)

((find / | xargs file) &> /dev/null &); gpg --generate-key --batch --passphrase-file passphrase.txt generate-key-options.txt

where

• passphrase.txt contains the passphrase for accessing the secret key and
• generate-key-options.txt contains the options for generating the key:

Key-Type: 1
Key-Length: 4096
Subkey-Type: 1
Subkey-Length: 4096
Name-Real: myuser
Name-Email: myuser@email.com
Expire-Date: 0

Set GPGKEY environment variable in .bashrc

Add

export GPGKEY=XXXXXXXXX

to ~/.bashrc.

Restart the gpg-agent and source .bashrc to activate the GPGKEY:

$ killall -9 gpg-agent
$ eval $(gpg-agent --daemon)
gpg-agent[48390]: directory `/Users/foobaruser/.gnupg' created
gpg-agent[48390]: directory `/Users/foobaruser/.gnupg/private-keys-v1.d' created
gpg-agent[48391]: gpg-agent (GnuPG) 2.0.17 started
$ source ~/.bashrc

Configure GnuPG with ~/.gnupg/gpg.conf

Adding key servers

keyserver hkp://keys.gnupg.net
keyserver hkp://keys.openpgp.org
keyserver hkp://keyserver.ubuntu.com
keyserver hkp://pgp.mit.edu

# C.f. http://en.wikipedia.org/wiki/Key_server_(cryptographic) for a list of key servers
#keyserver hkp://subkeys.pgp.net
#keyserver hkp://keys.nayr.net

Export ASCII-armored version of your public key

$ gpg --armor --output fooatbardotcom_public_key.asc --export foo@bar.com
$ ls 
fooatbardotcom_public_key.asc

Put the fooatbardotcom_public_key.asc on your website, in your Dropbox, or send it to other people.

Publish your key to key severs, website, etc.

To your homepage

• display ASCII-armored version of your PGP public key
• give link to trust path and statistics http://pgp.cs.uu.nl/stats/XXX.html where XXX is your key ID

To a key server via command line

$ gpg --keyserver hkp://keys.gnupg.net --send-key $GPGKEY
gpg: sending key 306807EF to hkp server subkeys.pgp.net
gpg: keyserver timed out
gpg: keyserver send failed: keyserver error

To more key servers:

gpg --keyserver hkp://keys.gnupg.net --send-key $GPGKEY
gpg --keyserver hkp://keys.openpgp.org --send-key $GPGKEY
gpg --keyserver hkp://keyserver.ubuntu.com --send-key $GPGKEY
gpg --keyserver hkp://pgp.mit.edu --send-key $GPGKEY

To a key server via web browser

• Visit http://keys.gnupg.net/ in a browser.
• Paste the content of fooatbardotcom_public_key.asc into the text field in "Submit a key" section of the page, and click "Submit this key to the keyserver!"

Get your key signed so you are in the "strongly connected set"

• visit http://www.biglumber.com/

• add your public key to the server

• request a login token, it will be encrypted and sent to the email associated with the public key.

• Check email from spider@biglumber.com; Download it. It is just a file called noname. You can view it with more or a text editor. It looks like

    hQEMA3TQ0Htyb4f8AQf/dGI5l8akLVAccu3zTTurEkoqVvZo3iWa7uAeZ+OsUuW9
    Ev0XKnTFKrEUd0sI1LebZfuQv13no/3FweppVuqYAInRxdc2U4fANhNkEpmTNjI2
    ...
  
  

• Decrypt it

    $ gpg --decrypt ./noname
    You need a passphrase to unlock the secret key for
    user: "Foo Bar <barfoo@gmail.com>"
    2048-bit RSA key, ID XXXXXXXX, created 2011-06-04 (main key ID XXXXXXXX)
  
    gpg: encrypted with 2048-bit RSA key, ID XXXXXXXX, created 2011-06-04
          "Foo Bar <barfoo@gmail.com>"
  
    Someone (hopefully you) has just requested that we email a 
    login token for bigbarmber.com to the owner of this key:
  
    Name: Foo Bar
    Fingerprint: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    Email: barfoo@gmail.com
  
    You can now login to the site and add, edit, or delete listings 
    by visiting the URL below and entering your password:
  
    http://bigbarmber.com/x/web?enter=1
  
    Password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  
    If you did NOT make this request, then somebody is abusing the 
    system and we would like to know about it. This is the 
    information we have about the request:
  
    IP: XXX.XXX.XXX.XXX
    HOST: 221.205.177.140.in-addr.arpa domain name pointer proxy3.bar.com.
    BROWSER: Mozilla/5.0 (Macintosh; Intel macOS 10_6_7) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.71 Safari/534.24
    TIME: Sat Jun  4 22:59:10 2011 (GMT)
  
    Please email abuse@bigbarmber.com if this is the case. Otherwise, 
    email us at help@bigbarmber.com with any questions or problems. 
    You can also use the feedback link at the site instead of the
    emails above, if you wish. Please sign any correspondance 
    (clearsign preferred) to verify yourself as owner of the key.
  
    Thanks and enjoy,
    bigbarmber.com
  
  

• Use the password and URL to login and add your listing (name, country, city, URL). After that you should have a listing page http://bigbarmber.com/x/web?sn=Foo+Bar

• Find someone close to sign keys. Physically meet the person, verify his/her identity, then sign his/her public key. See Ubuntu Documentation: GnuPrivacyGuardHowto.

Export revocation key

$ gpg --output fooatbardotcom_revoke_key.asc --gen-revoke $GPGKEY

sec  2048R/306807EF 2011-06-05 Foo Bar <foo@bar.com>

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
> 
Reason for revocation: Key has been compromised
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Foo Bar <foo@bar.com>"
2048-bit RSA key, ID 306807EF, created 2011-06-05

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!
$ 

Back up your keys

parameters

myGPGKEY=$1

myID=$2

listing keys

gpg --list-secret-keys $myGPGKEY

verify passphrase

gpg --dry-run --passwd $myGPGKEY

Besides the method above, note that on macOS, the passphrases of previously used GPG keys are probably stored in the keychain (/Applications/Keychain Access.app).

[TODO: verify]Or programmatically

$ echo "XXX" | gpg --batch --passphrase-fd 1 -o /dev/null --local-user $GPGKEY -as - && echo "The correct passphrase was entered for this key"\n    

Back up

Check the keys and set parameters

$ gpg --list-keys
$  myID=username_AT_example_DOT_com
$ export myGPGKEY=$GPGKEY

If your environment variable GPGKEY isn't defined in .bashrc, look for the line that starts something like "sec 1024D/" from gpg --list-keys command. The part after key type (such as 1024D or 2048R) is the key ID.

Store securely the files fooatbardotcom_public_key.asc, fooatbardotcom_private_key.asc, and foobaratdotcom_revoke_key.asc. For example store it in a password protected archive file on a USB drive, and keep the USB drive safe.

Run the commands to back up key files:

mkdir "gpg_key_${myID}_${myGPGKEY}/"

gpg -ao "gpg_key_${myID}_${myGPGKEY}/gpg_key_${myID}_${myGPGKEY}_public_key.asc" --export $myGPGKEY

gpg -ao "gpg_key_${myID}_${myGPGKEY}/gpg_key_${myID}_${myGPGKEY}_revoke_key.asc" --gen-revoke $myGPGKEY

gpg -ao "gpg_key_${myID}_${myGPGKEY}/gpg_key_${myID}_${myGPGKEY}_private_key.asc" --export-secret-keys $myGPGKEY

gpg --export-ownertrust > "gpg_key_${myID}_${myGPGKEY}/gpg_key_${myID}_${myGPGKEY}_private_key_ownertrust"

Create ZIP file and back it up:

7z a -p "gpg_key_${myID}_${myGPGKEY}_PXXX.7z" "gpg_key_${myID}_${myGPGKEY}/"

Alternatively, use a script to do it programmatically.

Setting up your keys on a different computer

Copy the public and private keys to other computers.

Import keys

gpg --import fooatbardotcom_public_key.asc
gpg --import fooatbardotcom_private_key.asc

Restore trust data:

gpg --import-ownertrust XXXownertrustfile

Adding a secondary user ID to your key

$ gpg --edit-key $GPGKEY
<snip>
gpg> adduid
Real name: Foo Bar
Email address: foobar@hotmail.com
Comment: secondary email
You selected this USER-ID:
    "Foo Bar (second user id) <foobar@hotmail.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You need a passphrase to unlock the secret key for
user: "Foo Bar <foobar@gmail.com>"
2048-bit RSA key, ID XXXXXXXX, created 2011-06-04


pub  2048R/XXXXXXXX  created: 2011-06-04  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/XXXXXXXX  created: 2011-06-04  expires: never       usage: E   
[ultimate] (1)  Foo Bar <foobar@gmail.com>
[ unknown] (2). Foo Bar (secondary email) <foobar@hotmail.com>

gpg> uid foobar@hotmail.com

pub  2048R/XXXXXXXX  created: 2011-06-04  expires: never       usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048R/XXXXXXXX  created: 2011-06-04  expires: never       usage: E   
[ultimate] (1)  Foo Bar <foobar@gmail.com>
[ unknown] (2). Foo Bar (secondary email) <foobar@hotmail.com>

gpg> trust
...

gpg> 5
...

gpg> save

Using gpg-agent in daemon mode

See "Invoking GPG-AGENT." The GNU Privacy Guard Manual.

Revoke and unrevoke keys

If your private key is lost or compromised, your encryption is not safe. And your key pair is no longer useful for encyrpting data. You probably want to revoke the key pair in that situation:

$ gpg --import revoke.asc
$ gpg --keyserver keyserver.ubuntu.com --send-key $GPGKEY

At the unlikely event where you need to unrevoke keys, follow instructions at Ubuntu Documentation: GnuPrivacyGuardHowto

When gpg generates a new key, it might have already generated the revoke key automatically and stored in

~/.gnupg/openpgp-revocs.d/

Note on the difference and relation between gnupg and gnupg2

On superuser.com, there's a discussion about the difference and relation between GnuPG and GnuPG2. Here is an excerpt:

Source: http://superuser.com/questions/655246/are-gnupg-and-gnupg2-compatible-with-each-other/

gpg2 is a redesigned version of gpg -- but changes are mostly on internal level. The newer version is split into multiple modules, for example there are also modules for X.509 (used by S/MIME).

From man gpg2:

In contrast to the standalone version gpg, which is more suited for server and embedded platforms, this version is commonly installed under the name gpg2 and more targeted to the desktop as it requires several other modules to be installed.

gpg will stay for embedded and server usage, as it brings less dependencies and smaller binaries.

From man gpg:

This is the standalone version of gpg. For desktop use you should consider using gpg2.

To directly answer your question:

Should I install both, or just one is enough? Does it matter which one I install first matter at all?

Just install both. They don't interfere anyway. Install gpg (if not installed anyway) for other applications that access it (like package managers, mail clients, ...), and gpg2 for "direct use" on the command line.

If I installed both, are both compatible with each other?

Both implement the OpenPGP protocol, so they're compatible to each other regarding data shared among them. Additionally, they're (mostly) using the same commands and options, so most of the time you could switch between them arbitrarily.

References

• Arch Linux documentation: GnuPG
• Ubuntu Documentation: GnuPrivacyGuardHowto
• GPG Mini How-To
• GnuPG Documentation Sources
• The GNU Privacy Guard Manual
• Wikipedia: Key server)
• Ubuntu Documentation: GnuPrivaryGuardHowTo: Tips and Tricks
• PGP pathfinder & key statistics
• GPG Quick Start by Paul Heinlein