Paul Hempshall

Website Cyber Security Professional

Getting started with GNUPG PGP

Published: November 11, 2015 9:41 pm


Basic GnuPG Guide - Windows Command Prompt CLI

Disclaimer: This article comes with no warranties. I do not gaurantee the accuracy of the information provided. Use this information at your own risk. Prior research should be carried out. Please see the references and additional information links below for further information.

1) Basic configuration

At command prompt type> gpg --version and it will state HOME followed by a directory. This is where you should find gpg.conf. If it doesn't exist - create it. Usually it is located in ~/AppData/Roaming/gnupg (~/Application Data/gnupg)

Add this to the end of the file:

### Start personal conf

# remove copyright notice

# cipher and digest prefs
personal-cipher-preferences AES256 TWOFISH AES192 BLOWFISH AES CAST5 3DES
personal-digest-preferences SHA512 SHA384 SHA256 SHA224 SHA1 RIPEMD160 MD5

### End personal conf

This is important as gnupg seems to default to the now becoming insecure SHA1 digest.

2) Generating key-pair

gpg --gen-key

  • Select option (1) RSA and RSA.
  • Choose cipher length. I use 4096 bits.

You will be prompted to enter your details, name, email address, a comment and a password.

This will generate two RSA keys, your master key and a encryption sub key.

3) Add more user IDs to your master key.

If you want or need to add further identities to this key (for example you use multiple email addresses) then you can add a UID.

First you will need to know the keyID.

gpg --list-keys

My example outputs the following:

pub   4096R/EB61CC8B 2012-07-21 [expires: 2017-07-20]
uid                  Paul Hempshall ( 
sub   4096R/34F698F2 2012-07-21 [expires: 2017-07-20]

The key ID is the listed under the pub row and after the cipher length slash, this example is: EB61CC8B.

gpg --edit-key KEYID
gpg> adduid

You will be prompted with a few more questions and your password. Fill in the information it asks for and when complete type 'save' at the gpg prompt.

gpg> save

Do this for all the UIDs you want to add.

4) Adding sub keys

It is important to note that when using subkeys users who use your public key cannot specify which subkey to use for eg. encryption. So by removing private subkeys for alternative locations you run the risk of not being able to decrypt the data unless you distribute separate versions of your public key.

Adding a sign only sub key

gpg --edit-key KEYID
gpg> addkey
  • Choose option (4) RSA (Sign only).
  • Again choose a cipher length and expiry date.
gpg> save

Adding an encrypt only sub key

gpg --edit-key KEYID
gpg> addkey
  • Choose option (6) RSA (Sign only).
  • Again choose a cipher length and expiry date.
gpg> save

Adding authenticate with servers only sub key

gpg --edit-key KEYID
gpg> addkey
  • Choose option (8) RSA (set your own capabilities).
  • Toggle off sign capability by entering S and pressing [ENTER]
  • Toggle off encrypt capability by entering E and pressing [ENTER]
  • Toggle on authenticate capability by entering A and pressing [ENTER]

It should now say: Current allowed actions: Authenticate
Enter Q for finished.

  • Again choose a cipher length and expiry date.
gpg> save

5) Exporting and Backing up keys

As with anything on computers backing up is essential. The three basic rules of computing: Backup, backup and backup. You can never have enough backups :)

First lets export our public key. This one you will distribute.

gpg --armor --output "PubKEY.txt" --export KEYID

Next we will backup our private key. Keep this one very safe! If you lose it consider your key compromised.

gpg --armor --output "PrivKEY.txt" --export-secret-keys KEYID

6) Generating a revocation certificate

It is important you generate a revocation certificate in the event that your private key becomes compromised or you wish to stop using it.

gpg --armor --output "RevoKEY.txt" --gen-revoke KEYID

You should see something like this:

Create a revocation certificate for this key? (y/N) Y

Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 1

Enter an optional description; end it with an empty line:

Keep your revocation key as safe as your private key. Should you lose it then your keys could be revoked by someone else. Consider yourself compromised.

References & Additional Resources

SHA-1 Crypto Analysis