Install the required tools
dnf install gnupg2 rng-tools -y
Start rngd. This provides entropy for the key generation process.
rngd -r /dev/urandom
Create a master GPG key. The key represents your GPG identity. Note that the command we are using is gpg2, not gpg.
# gpg2 --gen-key gpg (GnuPG) 2.1.4; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: directory '/root/.gnupg' created gpg: new configuration file '/root/.gnupg/gpg.conf' created gpg: WARNING: options in '/root/.gnupg/gpg.conf' are not yet active during this run gpg: keybox '/root/.gnupg/pubring.kbx' created Note: Use "gpg2 --full-gen-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: Demo User Email address: email@example.com You selected this USER-ID: "Demo User <firstname.lastname@example.org>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 9CDBF8B3 marked as ultimately trusted gpg: directory '/root/.gnupg/openpgp-revocs.d' created public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub rsa2048/9CDBF8B3 2015-06-17 Key fingerprint = 2FDB EB02 1D3C 8698 FBAD DF1C B5BF 8F3A 9CDB F8B3 uid [ultimate] Demo User <email@example.com> sub rsa2048/AE893683 2015-06-17 # gpg2 --list-keys /root/.gnupg/pubring.kbx ------------------------ pub rsa2048/9CDBF8B3 2015-06-17 uid [ultimate] Demo User <firstname.lastname@example.org> sub rsa2048/AE893683 2015-06-17 [root@demo ~]# gpg2 --list-secret-keys /root/.gnupg/pubring.kbx ------------------------ sec rsa2048/9CDBF8B3 2015-06-17 uid [ultimate] Demo User <email@example.com> ssb rsa2048/AE893683 2015-06-17
This has created a master key, 9CDBF8B3, with an encryption subkey, AE893683.
In the following steps, use your master key ID in place of 9CDBF8B3.
The key can be published to a keyserver like this
gpg2 --keyserver pgp.mit.edu --send-keys 9CDBF8B3
In the event that the master key is lost or compromised, a revocation certificate will be needed to indicate that the key, and all its subkeys, should no longer be used.
gpg2 --gen-revoke 9CDBF8B3 > 9CDBF8B3-revoke.asc
All the *.asc files mentioned should be stored offline for security.
Backup your keys
gpg2 --export 9CDBF8B3 > 9CDBF8B3-pub.asc gpg2 --export-secret-keys 9CDBF8B3 > 9CDBF8B3-sec.asc
If the key is published to a keyserver, the backup of the public keys is not needed as they can be retrieved from the keyserver.
Test encryption and decryption
# echo "this is a secret" > test.txt # gpg2 -e -r 9CDBF8B3 test.txt # gpg2 -d test.txt.gpg gpg: encrypted with 2048-bit RSA key, ID AE893683, created 2015-06-17 "Demo User <firstname.lastname@example.org>" this is a secret