In this thread, I'll be demonstrating how to create your GPG Keys, how to upload them to a server, and how to encrypt your e-Mails with it. For the purposes of this thread, I'll be using KDE 5, along with KMail. At some point in the future I'll also include Thunderbird. If you desperately need Thunderbird to be included then send me a personal message. First, let's begin with the following question: Why should you encrypt your e-Mail? To answer that, you could look at normal aspects of your daily life. When you have important things, you usually put them into a safe place where people can't easily get access to, like that teddy-bear your grandmother gave you when you were a little kid. When dealing with electronic messages some e-Mails are to be considered important too, yet most people don't encrypt them. Some people don't encrypt their e-Mails because they assume nobody can't get to these e-Mails, and because only they think nobody else knows the password. Is that the case? "Hell no". These days most e-Mail providers (like Google) have a secure connection with you, via https. This ensures that nobody except you and Google can see those communications (assuming your operating system isn't tampered with). Other e-Mail providers don't use this type of secure connection. On both cases, your e-Mail can be read. Let's see why. Http connections are not encrypted. If an attacker, who is in between you and your e-Mail server, has bad intentions, he/she can eavesdrop your communications with that server or even act as if they were you or the server, known as a man in the middle attack, "in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection"¹. On https connections, your communication with the server are encrypted, either via SSL or TLS. However, Google stil "reads" all of your e-Mails so that they can gather data from you (mostly used for advertising). So how can you communicate securely with a friend in a way that only you and your friend can talk to each other? By encrypting your messages so that not even Google (or other such company like Yahoo, Microsoft, etc) can't read your e-Mails. So, let's get started! First, open your terminal. Here we'll type all the commands needed to create your GPG (GnuPrivacyGuard) Key. If you're new to this and want an out-of-the-box Key that doesn't require any configuration, use the following command: Code: gpg --gen-key Just issue your name (if you want), your e-Mail adress, then your passphrase. Remember: This default key will NEVER expire, so you might edit that later (with gpg --edit-key), or you may chose to create the keys in a more in-depth mode as shown bellow. NOTE: "gpg --gen-key" is the older command that also creates custom keys on GnuPG verions of 2.0.26 and older (might vary). Newer versions of GnuPG will create the out-of-the-box key mentioned above, and require "gpg --full-gen-key" for a custom key generation. I'll guide the more advanced users through the advanced method, which is to create a custom GPG Key. Let's being. The first command is, obviously, to create our Key. To make this tutorial as real as possible, I'll be using an e-Mail alias that will be deleted after the completition of this tutorial. Code: $ gpg --full-gen-key My result: Code: [amarildo@amarildo ~]$ gpg --full-gen-key gpg (GnuPG) 2.1.7; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? If you want to create a key for encrypting AND signing e-Mails/files, chose 1. If you want to create a Key just to encrypt your e-Mails, type 4. I'll use my Key to encrypt both files and e-Mails: Code: Your selection? 1 Next: Code: RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) I always chose 4096 bits of size. You can chose 1024, 2048 or 4096. Code: RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Next: Code: Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) This is where you chose for how long your key will stay valid. Personally I think something between 2-5 years is a good period for personal use. To specify other expiration values: "500" (or any number) will specify the number of validity in days. "2w" would specify a 2 weeks time for expiration. "3m" would specify a 3 months time for expiration. "5y" would specify a 5 years time for expiration. Here's my choice: Code: Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 5y Key expires at Ter 01 Set 2020 22:44:35 UTC Is this correct? (y/N) y Next, this comes up: Code: GnuPG needs to construct a user ID to identify your key. Real name: Amarildo Email address: firstname.lastname@example.org Comment: You selected this USER-ID: "Amarildo <email@example.com>"" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? Review your Name, e-Mail adress, and comments. If everything is OK, then press "O" and hit Enter. Next comes the most important part: the passphrase. I have a pretty good memory, so it's easy for me to remember a good passphrase. If you want to test my method then follow along this really short toturial on how I create passphrases. Now a dialog box will appear. Type your passphrase twice, then click OK. GPG will now generate entropy for your Key; let it do it's thing. Usually I just start playing a game and wait till the generation process is finished. On older versions of GnuPG entropy generation is really quick, while on newer GnuPG versions it can take a few minutes. When it ends, you should see something like this: Code: gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2020-09-28 pub 4096R/19EE1346 2015-09-30 [expires: 2020-09-28] Key fingerprint = D657 88E4 77EC 7639 F561 74EF 8F08 A13B 19EE 1346 uid [ultimate] Amarildo <firstname.lastname@example.org> sub 4096R/DC3F9091 2015-09-30 [expires: 2020-09-28] Key creation is done. Pretty easy, right? Before we can encrypt/sign our stuff we need to make sure our recipient can decrypt our stuff. In order to do that, note the "pub" section above, right after our key lenght (4096): Code: 19EE1346 This is our public key. We need to upload this key to a key-server so that other people can receive (the key) and decrypt what has been encrypted. To upload your key to gnu.org's server: Code: gpg --send-keys 19EE1346 Here's my result: Code: amarildo@amarildo:~> gpg --send-keys 19EE1346 gpg: sending key 19EE1346 to hkp server keys.gnupg.net amarildo@amarildo:~> Note: on newer GnuPG versions you'll probably have a lot more verbosity after the keys have been successfully uploaded. In order for your friend to receive your key, he/she needs to issue this command: Code: gpg --recv-keys KEYNUMBER This will allow your friend to use your key for de-cryption. In my case, if I wanted to make sure my friend got my key, I'd tell him/her to issue the following command: Code: gpg --recv-keys 19EE1346 Now let's use KMail so that we can encrypt our e-Mails. This part of the tutorial will have pictures so that it's easier for everyone to follow. The first thing that will pop when you open Kmail is the account assistant. With this tool you'll be able to create and configure your e-Mail account. This is the first screen you'll see: https://i.imgur.com/MWfCgR9.png Next, you'll have to chose between IMAP or POP3. Personally I chose IMAP because it doesn't clog my /home folder, and I can easily configure KMail to download all my e-Mails for offline usage. https://i.imgur.com/UZrIguE.png On this same page, click "Create account". Now KWallet will appear. If you don't want KWallet to manage your passphrases, click "Basic Setup" and uncheck the box that says "Yes, I wish to use KDE wallet to store my personal information". I will use KWallet for this, so I'll still click on Basic Setup: https://i.imgur.com/shEnJOz.png Then I'll select "Use GPG Encryption, for better protection: https://i.imgur.com/7vOGjba.png Next, my GPG Key automatically appeared. If yours didn't, just click on the drop down menu and select it. https://i.imgur.com/YstP32u.png A dialog will appear. Type the passphrase you entered when creating your Key. Everything should be configured by this point. If not, please send me a personal message and I'll see why you're having problems. If I think I can fix your problem then I'll add the solution to this thread. Now, click on the "New" button so that we can create our first encrypted message. https://i.imgur.com/TkZ7fEx.png Create your message, and don't forget to mark "Sign" or "Encrypt" (or both). https://i.imgur.com/SHs1TmS.png Next, click "Send". You will be required to type your passphrase every time you send a new encrypted/signed e-Mail. DONE! Happy encrypting.