This step by step guide will create your own key for signing and encrypting email messages for free with The GNU Privacy Guard (GPG).

The GNU Privacy Guard, or just GnuPG or GPG, is a complete and free implementation of the OpenPGP standard. GPG can be used to sign and encrypt email messages and other data and communication.

The OpenPGP lock and a diploma indicates, that this message has been encrypted and signed by the sender. The GNU Privacy Guard keys was used with Thunderbird Mail to protect privacy.

If you implement GPG for use with email, then you can digitally sign your message, so your recipient will know, that the message has in fact been sent by you. The recipient will also know, that your messsage has not been modified. If you have the public key of the recipient, then you can encrypt and sign your message. You and your recipient can now safely assume, that your message has been protected against surveillance systems and other kinds of breach of privacy.

Create your new signing and encryption key.

The following GPG command will create a new key, that will be based on your selections from the menu. You will want RSA keys for signing and encryption. You might not want the key to expire. You will want maximum RSA key strength. Enter your name as it appears, when you send email. Enter your email address. Enter a passphrase. The passphrase should not just be a single password, but rather a phrase or complex password.

$ gpg --full-generate-key

You have now created a GPG key, that can be used for signing and encrypting data and communication. It has been inserted into the GPG key ring on your computer. If you did not have a key ring, then one has been created for you in a hidden directory in your home directory. You might want to ensure, that it is backup up.

$ ls .gnupg

The following command lists the key, and other keys, that exist in your key ring. The key will have a key for signing, a user identification and a subkey for encryption. The email address is used for identifying a key, if you later should want to make changes.

$ gpg --list-keys

The following command lists other options, that will help you find out, what you can do with the GPG command line tool.

$ gpg --help

Import your secret key into your email client.

The final step is to import your new key into your own email client, such as Thunderbird Mail. This key, which is your secret key and not the shared public key, will then be used by your email client to sign your messages. If you also have the public key of your recipient, you can also encrypt your messages.

The following example will export the secret key, that is identified by the email address , to a file private.gpg, that can be imported to your email client.

$ gpg --output private.gpg --export-secret-key 

If your email client is Thunderbird Mail, you can import it by adding your key as an OpenPGP key from the encryption section in your account settings. You will need to enter the passphrase, that you entered during the creation of the key.

Note: Thunderbird Mail has its own PGP built-in system, that replaces the former EnigMail add-on, and stores its keys in its own key ring, that is different from the main GPG key ring. Thunderbird can also create a key for you, but in this example, you will create your own key with GPG and import it.

Export your public key to your recipients.

You can now generate a public key from your private key. If you share the puplic key with your recipient, then your recipient can import it and it will be used for validating your signatures and encrypting messages to you. I wrote a guide about this in How to import a GNU Privacy Guard (GPG) public key into email client.

The following example will export a public key from the key, that is identified by the email address . The public key will be written in the default GPG format to the file example.gpg.

$ gpg --output example.gpg --export 

The following example will export a public key from the key, that is identified by the email address . The public key will be written in armored text format to the file example.pub. This format is can be used for copy and paste operations.

$ gpg --output example.pub --armor --export 

The file can now be shared with your recipient, who can import it to an email client, such as Thunderbird Mail, that support signing and encryption with GPG. You can safely share your public key via email or other medium. The public key can only be used to encrypt messages to you. The message can only be decrypted by the one, who has the private key.

Sign and encrypt your message.

That’s all there is to it. You can now sign and encrypt messages with GNU Privacy Guard.

If your email client is Thunderbird Mail, then you will compose a new message as normal. When you are ready to send your message, you will open the drop down security menu and enable encryption. This will automatically sign your message too. If you only want to sign your message, you can do so too by just enabling your digital signature. Note, that you can only encrypt the message, if you have received a public key from the recipient.

Example of a signed and encrypted email message.

The following picture is an example of a signed and encrypted message, that has been received and opened in Thunderbird Mail.

A lock and a diploma indicates, that this message has been encrypted and signed by the sender. The GNU Privacy Guard was used with Thunderbird Mail to protect privacy.

If you look in the upper right corner, you can see, that a lock indicates, that this message was encrypted, and, that a diploma indicates, that this message was signed by the sender.

This page was last updated 2021-03-12.