Table of contents
Introduction
GnuPG or gpg implements the OpenPGP standard.
With this it is possible to secure digital communication by:
- encryption
- signatures
- authentication
Assuming a user named John Smith with the mail address john.smith@example.com
gpg can be used to generate a primary key for certification of other keys and
signatures based on the ED25519 algorithm which never expires.
gpg --quick-generate-key "John Smith <john.smith@example.com>" ed25519 cert,sign never
The output looks similar to the one below.
gpg: directory '/home/john/.gnupg' created
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/john/.gnupg/trustdb.gpg: trustdb created
gpg: directory '/home/john/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/john/.gnupg/openpgp-revocs.d/2DA27087D0D30BC33EF921134C5E480B970685E2.rev'
public and secret key created and signed.
pub ed25519 2026-06-11 [SC]
2DA27087D0D30BC33EF921134C5E480B970685E2
uid John Smith <john.smith@example.com>
The fingerprint 2DA27087D0D30BC33EF921134C5E480B970685E2 is needed for the
following commands.
gpg is used to add a sub key for encryption.
gpg --quick-add-key 2DA27087D0D30BC33EF921134C5E480B970685E2 cv25519 encrypt never
Also an authentication sub key is created with gpg.
gpg --quick-add-key 2DA27087D0D30BC33EF921134C5E480B970685E2 ed25519 auth never
All relevant data is stored in /home/john/.gnupg and the private keys can be
listed with gpg.
gpg --list-secret-keys
See the Arch Linux wiki for details on how to use GnuPG.