OpenPGP Key Generation Guide
Generate RSA and Ed25519 OpenPGP key pairs — with expiry, passphrase, and key management best practices.
Published:
Tags: OpenPGP key generation, PGP key pair generator, GPG keygen
OpenPGP Key Generation Guide Generating an OpenPGP key pair is the first step in using PGP encryption. Your public key is shared; your private key is kept secret and protected by a passphrase. This guide covers key type selection, GPG command-line generation, openpgp.js, subkey architecture, and key management practices. --- How do I use Key Architecture in OpenPGP? An OpenPGP key is not a single key — it is a certificate containing a primary key and one or more subkeys, each with a specific capability: | Key | Capability | Stored | |-----|-----------|--------| | Primary key | Certify (sign other keys) | Offline ideally | | Signing subkey | Sign messages/files | Online (laptop, phone) | | Encryption subkey | Encrypt/decrypt | Online | | Authentication subkey | SSH authentication | Online…
Frequently Asked Questions
How do I generate a PGP key pair?
With GPG: run `gpg --full-generate-key` and follow the prompts. Select ECC (ed25519 for sign, cv25519 for encrypt), set an expiry date (1–3 years), and use a strong passphrase. Alternatively, use the browser-based OpenPGP Key Generator which runs entirely in your browser using openpgp.js. The generated keys can be exported as ASCII armor files.
What key size should I use for PGP?
For RSA, 4096 bits is the minimum for new keys. RSA-2048 is deprecated for new generation. However, Ed25519/X25519 (Curve25519) is the preferred choice for new keys — it provides security equivalent to ~3072-bit RSA with smaller key sizes, faster operations, and a simpler security argument. GPG defaults to Curve25519 for ECC key generation.
What is an Ed25519 PGP key?
Ed25519 is an EdDSA digital signature algorithm using Curve25519. OpenPGP key pairs using Ed25519 for signing and X25519 (also called cv25519) for encryption are faster, produce smaller outputs, and are generally preferred over RSA-4096 for new keys. Ed25519 key generation takes milliseconds vs seconds for RSA-4096.
Should my PGP key expire?
Yes — always set an expiry date on your primary key. A 1–3 year expiry is common. Expiry limits damage from key compromise: if your key is stolen, it cannot be used for new encryption after the expiry date. You can extend the expiry on your current key before it expires — this does not require generating a new key.
How do I add a passphrase to a PGP key?
When generating a key in GPG, you will be prompted for a passphrase. For an existing key: `gpg --edit-key your@email.com`, then `passwd`. The passphrase encrypts your private key on disk — without it, anyone who copies your key file can use it. Use a long, random passphrase (20+ characters).
All articles · theproductguy.in