I have mentioned this handy tool a number of times before, but I guess it is time to explain how to get started with GPG, the GNU Privacy Guard and create your first key pair.
The first step in this process is to identify what kind of operating system you are using. Generally you should find yourself to be running some flavor Windows, Mac, or *Nix. If you are using Windows or a Mac, you might want to consider giving some Linux or BSD flavor a spin during this exercise. The Open Source thing means if the system has been diddled, it is at least more likely to be discovered, eventually.
There is are a lot of decent guides out there. I'll link them, but come back here when it is time to generate the key. Here's one for Windows courtesy of the Enigmail team, Mac from Purdue's Engineering IT support, and while the different *nix systems have differing package managers the Ubuntu guide works well just subbing in the different distribution specific installation commands.
Once you have the software installed, get it started on the command line and ignore whatever key pair type your guide suggested. When you enter:
and options pop up you want to choose RSA and RSA as your key type with 40961 being the key length. DSA and Elgamal is probably the wrong choice.
Once you've done that fill in the information, either for your actual identity or your pseudonym, and I recommend not setting an expiration date and planning to use a revocation certificate instead. Pick a passphrase you can lose, and you should have a key within a few seconds or minutes. Congratulations, now back that shit up to some media where you can ensure its physical security and generate a revocation certification to store with your backup. Maybe make several backups, but remember this physical security thing is important.
Later I'll write on things you can do with your key, but in the mean time plug your public key into the Phuctor2and maybe practice generating, backing up, and revoking keys for a bit before settling on your key. If the Phuctor finds issues with any keys generate a new one, but if it finds problems with a lot of your keys probably get a new3 machine and definitely set it up with some *nix or a different *nix system if you started this exercise the right way. Further if you keys continue being weak consider building GPG from the official source and skip pre-built binaries.4 Whatever you do with GPG eventually make sure you are taking the time to get comfortable with it before doing useful things like registering with Gribble.
Update: A new companion post explains the exercises mentioned here.
- If you are especially paranoid you may double this length, but 1024 is confirmed to be too short and do you really want your key to be next in line to be confirmed too short? Well, that would be why I'm not recommending 2046. [↩]
- Discussed earlier here: http://bingology.net/2013/10/22/a-cool-new-toy-for-public-keys/ [↩]
- By new, to you. In reality probably older per http://trilema.com/2013/how-to-airgap-a-practical-guide/#identifier_5_49997 [↩]
- For those who want to be sure of doing this the right way, this is probably what you should have done from the start. [↩]