This is a tutorial to get started using E-mail encryption and signing using GnuPG, and the OpenPGP standard. This guide is primairly written for Debian (and Ubuntu), but GnuPG is available for all major desktop operating systems.


To understand this tutorial better, you have to understand the basics of cryptography and private-public keypairs.


  • Keypair: A private and a public key that belong together.
  • Private key: Your secret key used for making signatures and decrypting mails. Unlocked using a passphrase. To be kept secret, and never shared!
  • Public key: Used for verifying signatures, and encrypting emails. Can be shared freely (only compromising information in it, is the name and e-mail you provide (e.g. if an e-mail address is private).
  • Signature: A cryptographic verification of an email, showing who wrote it and that it has not been tampered with on the way.
  • Key signature: The signature of a key. Used to verify that a key belongs to the name/e-mail it claims, either directly or through the web of trust.
  • Web of trust: When you have many keys signed, you get a web of trust. You can generally trust a key that's been signed by someone who's key you've signed. (There's an algorithm taking care of this automatically for you.)


The easiest way is to get GnuPG from the package management system, you can do this by writing the following in a terminal:

$ sudo apt-get install gnupg

Generate your key

There is alot of extra things you can learn about OpenPGP, but to get started you only need to decide two things, key-length and expiry. Key-length should be a minimal of 2048-bits (4096 recommended) and expiry at most 2 years, we recommend 1. Your passphrase should not be easy to guess, and sufficiently long not to be brute forced.

$ gpg --gen-key
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Wed 19 Dec 2012 02:47:01 PM CET
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <>"

Real name: Test Testsson
Email address:
Comment: Test key, for tutorial only
You selected this USER-ID:
    "Test Testsson (Test key, for tutorial only) <>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2012-12-19
pub   4096R/EF8A4A77 2011-12-20 [expires: 2012-12-19]
      Key fingerprint = AFF0 7D2C FCA5 61E1 9370  CA0F E675 7610 EF8A 4A77
uid                  Test Testsson (Test key, for tutorial only) <>
sub   4096R/FD5F94AF 2011-12-20 [expires: 2012-12-19]

Now that you have your key-pair, you can verify it by running

$ gpg -K
sec   4096R/EF8A4A77 2011-12-20 [expires: 2012-12-19]
uid                  Test Testsson (Test key, for tutorial only) <>
ssb   4096R/FD5F94AF 2011-12-20

There it is, all set!

Configure your email client

There are more email clients out there, and most of them (Outlook being the notable exception) support GnuPG either natively or through an extension.




Send signed and/or encyrpted e-mails

Share your key

Sign the keys of others, get others to sign yours