Gentoo Wiki


This article is part of the HOWTO series.
Installation Kernel & Hardware Networks Portage Software System X Server Gaming Non-x86 Emulators Misc



This is a QuickStart™ guide for those who are interested in using pgp / GnuPG (GNU Privacy Guard) but have no experience. The best introductory guide I have yet seen remains part of the Official Gentoo Documentation - this is just a what-you-need-to know bare minimum guide. This is roughly the same in Windows as it is in Linux (except that you must get the GUI manager elsewhere).


GnuPG uses the OpenPGP standard to sign and/or encrypt messages or files to:



Mail Signing:

Trust Signing: It kinda sounds like anyone could spoof my identity by creating a key with my name and e-mail on it, right? Actually, not so much. It's much easier to explain graphically

For your key to be of any worth, you have to physically meet with others who will then verify your key upon request. A good way to do this would be to

Manage GnuPG

For demonstration:

Name: John M Doe Sr
Comment: http://jdoe75@domain.tld
UID: jdoe75@domain.tld
emerge gnupg seahorse mozilla-thunderbird
# Then go download the enigmail plugin


  1. Launch seahorse & seahorse-agent: Desktop » Preferences » Encryption Preferences » Pasword Cache » Start seahorse-agent; Select Cache encryption passphrases in memory if you don't want to have to enter your passphrase each time you use gpg. (You will create the passphrase shortly)
  2. Cause seahorse-agent to launch at login: From Encryption Preferences: Session Properties » Startup Programs » Add » seahorse-agent or Desktop » Preferences » Sessions » Startup Programs » Add » seahorse-agent
  3. Add a public keyserver: From Encryption Preferences: Key Servers » Add »; Select Publish Keys To: hkp:// (HKP is also known as the GnuPG HTTP Keyserver Protocol)
    • Search for 'public pgp servers' on google to find others
  4. Create a GnuPG/pgp key: Close Encryption Preferences; From the commandline run seahorse; Now run Key » Create Key Pair... » Assistant » Continue » ... » Apply
    • If you have a slow CPU or selected High or Extra High Security, this may take a few minutes
  5. Trust yourself - (because if you can't, who can?): From the Encryption Key Manager select John M Doe Sr and click Properties » Master Key » Trust: Ultimate
  6. Add another Identity: In that same window click User IDs » Add » ... » OK; Select John M Doe Sr and click Primary to make this your main identity.
    • So why might you need another ID? See Note 2
  7. Add your photo; gimp yourself a nice 240x288px headshot; gpg --edit-key jdoe75@domain.tld addphoto;
    • you want 240x288 or smaller so that your key is a sane size
  8. IMPORTANT: Create a revoke cert: gpg --output ~/Documents/Personal/jdoe75.revoke.pgp.asc --gen-revoke jdoe75@domain.tld; choose option 1 and something creative like 'passphrase is lost or key has been comprimised'
    • If you plan on making pgp signatures a serious and important part of your online activity see note 1.
  9. Create an ASCII armor key: gpg --armor --output jdoe75.asc.pgp --export jdoe75@domain.tld
    • How might I use this? See Note 3
  10. Finally, submit your key to a keyring: From Encryption Key Manager: Remote » Sync and Publish Keys... or gpg --keyserver --send-key jdoe75@domain.tld
    • I get Couldn't retrieve keys from server:; Couldn't communicate with '': Not Found. Try adding :11371 to hpk in seahorse to fix this. Please update this tutorial if you get it to work.

I'm kinda tired of writing now... maybe I'll finish this later, maybe not. The rest is pretty well established in HOWTO GnuPG + Enigmail.

If you can't get your mail client to import keys properly you can do it from the commandline

and then with some refreshment (opening/closing or hitting a 'refresh keylist' button) it will recognize it.


Things you can do later on:

See Also


Note 1: You aren't going to use this at this time, but it's important to create a revoke cert just in case, even before you submit your key. If your key is comprimised or you forget your passphrase you can then annul your key so that it isn't used anymore. You should store your revoke cert in a safe place - burn a copy to CD or print it out and file it. However, if your revoke cert falls into the wrong hands it could be used to revoke your key without your knowledge. Might not be a bad idea to create a secondary keyset, sign it with the first, and store it seperately as well.

Note 2:

Note 3

I copied mine to my webserver whilst I wait for the keyrings to update. This also adds a degree of unofficial trust - I wouldn't put a fake key on the webserver that's on my business card, but someone else might try to spoof my identity and post it on a keyring.

Retrieved from ""

Last modified: Thu, 31 Jul 2008 05:28:00 +0000 Hits: 15,932