PGP/GPG Usage Guide

This comprehensive guide covers practical usage of PGP/GPG across different platforms and applications, including key creation, encryption, decryption, and key management.

Prerequisites

Before following this guide, ensure you have:

PGP/GPG software installed (Installation Guide)
Basic understanding of PGP concepts (PGP Overview)
Administrative access (for some operations)

Create PGP Key Pair

Creating a secure key pair is the foundation of PGP usage. We recommend using 4096-bit RSA keys for maximum security.

Kleopatra is the recommended tool for Windows as it supports 4096-bit RSA keys.

Launch Kleopatra
- Open Kleopatra from Start Menu or desktop shortcut
Start Certificate Creation
- Click File → New Certificate...
- Select Create a personal OpenPGP key pair
- Click Next

Enter Personal Information

Name: Your Name (or pseudonym for anonymity)
Email: your.email@example.com (or anonymous email)
Comment: Optional description

Configure Advanced Settings
- Click Advanced Settings...
- In Key Material section:
  - Select RSA radio button
  - Choose 4,096 bits from dropdown
  - Set expiration date (recommended: 2-4 years)
- Click OK
Create the Key
- Verify your information is correct
- Click Create Key
Set Passphrase
- Enter a strong passphrase (minimum 12 characters)
- Include uppercase, lowercase, numbers, and symbols
- Re-enter to confirm
- Click OK
Generate Entropy
- Move mouse randomly and type random text
- This creates randomness for key generation
- Process completes automatically
Finish Creation
- Click Finish when generation is complete
- Your key pair is now ready for use

GNU Privacy Assistant provides an alternative interface for key creation.

Launch GPA
- Open GPA application
Create New Key
- Click Keys → New Key (or Ctrl+N)

Enter Key Information

Name: Your chosen identity
Email: your.email@example.com
Comment: Optional description

Note

For anonymity, use pseudonyms and non-traceable email addresses

Set Key Parameters
- Key type: RSA (default)
- Key size: 2048 bits (GPA limitation)
- Expiration: Set appropriate date
Create Backup
- Choose location for key backup
- This creates your public key file (.asc)
- Important: Store backup securely
Complete Creation
- Follow remaining prompts
- Enter strong passphrase when requested

Command line interface provides maximum control over key generation.

# Generate new key pair interactively
gpg --full-generate-key

# Choose options when prompted:
# (1) RSA and RSA (default)
# 4096 (key size)
# 2y (expiration - 2 years recommended)
# y (confirm expiration)
# Enter name, email, comment
# Enter secure passphrase

Advanced Key Generation with Batch Mode:

# Create batch file for automated generation
cat > keygen.batch << EOF
Key-Type: RSA
Key-Length: 4096
Subkey-Type: RSA
Subkey-Length: 4096
Name-Real: Your Name
Name-Email: your.email@example.com
Expire-Date: 2y
%commit
EOF

# Set passphrase at runtime (do not hardcode in files or shell history)
export KEY_PASSPHRASE='set-this-securely-at-runtime'

# Generate key using batch file and loopback pinentry
gpg --batch --pinentry-mode loopback --passphrase "$KEY_PASSPHRASE" --generate-key keygen.batch

# Clean up temporary files and variables
shred -vfz -n 3 keygen.batch
unset KEY_PASSPHRASE

Export Public Key

Your public key needs to be shared with others for them to send you encrypted messages.

Select Your Key
- Open Kleopatra
- Right-click your key in My Certificates tab
Export Certificate
- Click Export Certificates...
- Choose save location
- Filename: yourname-public.asc
- Click Save
Verify Export
- Open the .asc file in text editor
- Should start with -----BEGIN PGP PUBLIC KEY BLOCK-----
- Should end with -----END PGP PUBLIC KEY BLOCK-----

# List your keys to find the key ID
gpg --list-keys

# Export public key to file
gpg --armor --export your.email@example.com > public-key.asc

# Or export to stdout for copying
gpg --armor --export your.email@example.com

# Export specific key by ID
gpg --armor --export A1B2C3D4 > public-key.asc

Export Private Key

⚠️ SECURITY WARNING: Private keys should be exported only for backup purposes and stored securely.

Select Your Key
- Right-click your key in My Certificates tab
Export Secret Key
- Select Export Secret Keys...
- Choose secure location (encrypted drive recommended)
- Check ASCII armor option
- Enter filename: yourname-private.asc
- Click OK
Security Confirmation
- Confirm export in dialog box
- Enter your passphrase when prompted

# Export private key (requires passphrase)
gpg --armor --export-secret-keys your.email@example.com > private-key.asc

# Export with specific output file
gpg --armor --export-secret-keys --output private-backup.asc your.email@example.com

# Export specific subkeys only
gpg --armor --export-secret-subkeys your.email@example.com > subkeys.asc

Publish Key to Key Server

Publishing your public key to key servers makes it discoverable by others.

Select Your Key
- Right-click your key in Kleopatra
Publish to Server
- Select Publish on Server...
- Choose key server (default is usually fine)
- Click OK
Verify Publication
- Search for your key on key server to confirm

# Send key to default key server
gpg --send-keys your.email@example.com

# Send to specific key server
gpg --keyserver hkps://keys.openpgp.org --send-keys your.email@example.com

# Send to multiple servers
gpg --keyserver hkps://keyserver.ubuntu.com --send-keys your.email@example.com

Import Public Keys

Before encrypting messages for others, you need their public keys.

Import from File
- Click File → Import Certificates...
- Browse to .asc file containing public key
- Click Open
Import from Clipboard
- Copy public key text to clipboard
- Click File → Import Certificates from Clipboard
Verify Import
- Check Other Certificates tab
- Imported key should be listed

# Import from file
gpg --import public-key.asc

# Import from key server by email
gpg --keyserver hkps://keys.openpgp.org --search-keys friend@example.com

# Import specific key by ID
gpg --keyserver hkps://keys.openpgp.org --recv-keys A1B2C3D4

# List imported keys
gpg --list-keys

Encrypt Messages

Encryption ensures only the intended recipient can read your message.

Prepare Your Message
- Open Notepad or text editor
- Type your message
- Select all text and copy (Ctrl+C)
Encrypt via System Tray
- Right-click Kleopatra icon in system tray
- Navigate to Clipboard → Encrypt...
Select Recipients
- Click Add Recipient...
- Switch to Other Certificates tab
- Select recipient's public key
- Click OK
Complete Encryption
- Verify recipient is listed
- Click Next
- Encryption completes automatically
Send Encrypted Message
- Encrypted text is now in clipboard
- Paste (Ctrl+V) into email, chat, or any application
- Send to recipient

# Encrypt file for specific recipient
gpg --encrypt --recipient friend@example.com message.txt

# Encrypt with ASCII armor (for email/text)
gpg --armor --encrypt --recipient friend@example.com message.txt

# Encrypt for multiple recipients
gpg --armor --encrypt --recipient alice@example.com --recipient bob@example.com message.txt

# Encrypt from stdin to stdout
echo "Secret message" | gpg --armor --encrypt --recipient friend@example.com

Decrypt Messages

Decryption requires your private key and passphrase.

Copy Encrypted Message
- Select entire encrypted message block
- Include -----BEGIN PGP MESSAGE----- and -----END PGP MESSAGE-----
- Copy to clipboard (Ctrl+C)
Decrypt via System Tray
- Right-click Kleopatra icon in system tray
- Navigate to Clipboard → Decrypt/Verify...
Enter Passphrase
- Enter your private key passphrase
- Click OK
View Decrypted Message
- Decrypted text is copied to clipboard
- Paste into text editor to read
- Message is also displayed in verification window

# Decrypt file (creates .txt file from .txt.gpg)
gpg --decrypt message.txt.gpg > decrypted-message.txt

# Decrypt and display on screen
gpg --decrypt message.txt.gpg

# Decrypt from stdin
cat encrypted-message.asc | gpg --decrypt

Sign Messages

Digital signatures provide authentication and integrity verification.

Prepare Message
- Create message in text editor
- Copy message to clipboard
Sign Message
- Right-click Kleopatra system tray icon
- Select Clipboard → Sign...
- Choose your signing key
- Enter passphrase
- Click OK
Send Signed Message
- Signed message is in clipboard
- Paste into email or communication method

# Create detached signature
gpg --armor --detach-sign message.txt

# Create inline signature
gpg --armor --sign message.txt

# Clear-sign (readable text with signature)
gpg --armor --clearsign message.txt

Verify Signatures

Signature verification confirms message authenticity and integrity.

Copy Signed Message
- Include entire message with signature blocks
- Copy to clipboard
Verify Signature
- Right-click Kleopatra system tray icon
- Select Clipboard → Decrypt/Verify...
Review Results
- Verification window shows signature status
- Green checkmark indicates valid signature
- Red X indicates invalid or missing signature

# Verify detached signature
gpg --verify message.txt.asc message.txt

# Verify inline signed message
gpg --verify signed-message.asc

# Verify and extract clear-signed message
gpg --verify clear-signed-message.asc

Key Management

Trust Levels

Understanding and setting appropriate trust levels is crucial for PGP security.

Trust Levels Explained:

Unknown: No trust information
None: Explicitly marked as not trusted
Marginal: Some confidence in key ownership
Full: High confidence in key ownership
Ultimate: Your own keys

Set Key Trust - Kleopatra
Set Key Trust - Command Line

Access Key Properties
- Right-click on key
- Select Details...
Change Trust Level
- Click Change Owner Trust...
- Select appropriate trust level
- Click OK

# Edit key trust
gpg --edit-key friend@example.com

# In GPG prompt:
gpg> trust
# Select trust level (1-5)
# 5 = Ultimate trust
# 4 = Full trust
# 3 = Marginal trust

gpg> save

Key Maintenance

# Refresh keys from keyserver
gpg --refresh-keys

# Check key expiration
gpg --list-keys

# Extend key expiration
gpg --edit-key your.email@example.com
gpg> expire
# Set new expiration
gpg> save

# Generate revocation certificate
gpg --output revoke.asc --gen-revoke your.email@example.com

Best Practices

Security Recommendations

Strong Passphrases
- Minimum 12 characters
- Include uppercase, lowercase, numbers, symbols
- Consider using passphrases instead of passwords
Key Size
- Use 4096-bit RSA keys minimum
- Consider Ed25519 for new keys (newer algorithm)
Key Expiration
- Set expiration dates (2-4 years recommended)
- Regularly extend or replace keys
Backup Strategy
- Create secure backups of private keys
- Store revocation certificates safely
- Test backup restoration periodically

Operational Security

Key Verification
- Always verify key fingerprints through secure channels
- Use multiple verification methods when possible
Software Updates
- Keep PGP software updated
- Monitor security advisories
Environment Security
- Use secure, updated operating systems
- Avoid public/shared computers for key operations
- Consider using dedicated hardware for key generation

Common Mistakes to Avoid

Weak Passphrases: Using dictionary words or personal information
Unverified Keys: Trusting keys without proper verification
Insecure Backups: Storing private keys without encryption
Key Reuse: Using same keys across multiple identities
Outdated Software: Using vulnerable PGP implementations

Troubleshooting

Common Issues

Error: "No public key"

# Solution: Import recipient's public key
gpg --keyserver hkps://keys.openpgp.org --search-keys recipient@example.com

Error: "Bad passphrase"

Verify caps lock status
Try typing passphrase in text editor first
Check for special character issues

Error: "Key expired"

# Check key expiration
gpg --list-keys

# Extend expiration if it's your key
gpg --edit-key your.email@example.com

GPG Agent Issues

# Restart GPG agent
gpgconf --kill gpg-agent
gpgconf --launch gpg-agent

This comprehensive usage guide should cover all essential PGP/GPG operations across different platforms and interfaces.

Table of Contents