This document is a step-by-step guide to creating a large, customised OpenPGP key. It assumes a successful installation of GPG 1.4.x or 2.0.x. The GPG commands are identical, but my examples use version 1.4.12 with the following details:Quotebash-3.2$ gpg -v --versiongpg (GnuPG) 1.4.12Copyright (C) 2012 Free Software Foundation, Inc.License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.Home: ~/.gnupgSupported algorithms:Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSACipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8), AES256 (S9), TWOFISH (S10), CAMELLIA128 (S11), CAMELLIA192 (S12), CAMELLIA256 (S13)Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9), SHA512 (H10), SHA224 (H11)Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3)bash-3.2$ These instructions utilise the expert mode of GPG and assume you are comfortable using the command line and editing the gpg.conf file. The instructions are geared towards *nix systems (e.g. Linux, OS X, BSD, Solaris, etc.), but should be adaptable by Windows users (and mostly the same).First Step:Open your gpg.conf file (usually located at ~/.gnupg/gpg.conf on *nix systems, but may be elsewhere) in your preferred text editor (e.g. Vim, Emacs, Nano).Skip to the end of the file and add the following lines:Code: [Select]experttrust-model alwaysenable-dsa2default-preference-list S9 S10 S13 S8 S12 S7 S11 S2 S3 S4 H10 H9 H8 H11 H3 H2 H1 Z3 Z2 Z1 Z0personal-cipher-preferences S9 S10 S13 S8 S12 S7 S11 S2 S3 S4personal-digest-preferences H10 H9 H8 H11 H3 H2 H1personal-compress-preferences Z3 Z2 Z1 Z0no-emit-versionThe "expert" option enables expert mode. It is wise to comment this out with a hash symbol (#) when you've finished making the key. Alternatively it can be left out and invoked on the command line with the "--expert" flag.The "trust-model always" option enables you to encrypt to keys that you have not signed or set trust levels for without seeing a warning message.The "enable-dsa2" option uses new style DSA keys instead of the original which is open to certain kinds of attacks (see the gnupg-users mailing list archive for details).The preference lists tell GPG which order for cipher, hash and compression algorithms is preferred. The options above can be decoded with the version information at the top of this HOWTO. The first three cipher algorithms (used for symmetric/message encryption) in the above lines are: AES-256, Twofish and Camellia-256. The "default-preference-list" is the "personal-cipher-preferences" followed by the "personal-digest-preferences" and the "personal-compress-preferences" lines. You may want to change the order around if you favour one particular cipher, the order won't disable any of the supported ciphers and you may send in less preferred ciphers if GPG detects a key can't use your preferred cipher.The "no-emit-version" option suppresses the GPG version information at the top of a message or key block.When finished, save and close the gpg.conf file.Second Step:At the command line run "gpg --gen-key" (or "gpg --gen-key --expert"):Quotebash-3.2$ gpg --gen-keyPlease select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8 ) RSA (set your own capabilities)Your selection? If you want a large RSA key then select "4" from this menu. If you want a large DSA key then select "3" instead. I recommend using RSA for the master key/certificate, so for this example I am selecting "4" at this point.QuoteYour selection? 4RSA keys may be between 1024 and 4096 bits long.What keysize do you want? (2048) This shows the default key size (2048-bit), but we want the largest size that is guaranteed to work with other OpenPGP installations. So enter "4096" here.Note: if creating a DSA key the maximum is 3072-bit.QuoteWhat keysize do you want? (2048) 4096Requested keysize is 4096 bitsPlease specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n yearsKey is valid for? (0) Press enter here, even if you do want your encryption and/or signing key to expire. The reason for this will become apparent later.QuoteKey is valid for? (0) Key does not expire at allIs this correct? (y/N) yThe next step is to enter your pseudonymous data.QuoteIs this correct? (y/N) y You need a user ID to identify your key; the software constructs the user IDfrom the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) "Real name: Louis CyphreEmail address: nobody@example.orgComment: SR Test KeyYou selected this USER-ID: "Louis Cyphre (SR Test Key) "Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? When you are satisfied type "O" and enter. Then GPG will prompt for the passphrase to be set, make sure that it is a passphrase with a high amount of entropy (128-bits or larger). Make sure you don't lose it or forget it.QuoteChange (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? OYou need a Passphrase to protect your secret key.We need to generate a lot of random bytes. It is a good idea to performsome other action (type on the keyboard, move the mouse, utilize thedisks) during the prime generation; this gives the random numbergenerator a better chance to gain enough entropy.public and secret key created and signed.pub 4096R/7476C291 2012-06-28 Key fingerprint = 89FF C1E9 BE69 5A46 7AEA A42D F730 9299 7476 C291uid Louis Cyphre (SR Test Key) Note that this key cannot be used for encryption. You may want to usethe command "--edit-key" to generate a subkey for this purpose.bash-3.2$ Now we need to add a signing subkey for signing messages (the master key that we just created is used to sign other keys). We also need to add an encryption subkey.Quotebash-3.2$ gpg --edit-key 7476C291Secret key is available.pub 4096R/7476C291 created: 2012-06-28 expires: never usage: SC [ unknown] (1). Louis Cyphre (SR Test Key) gpg> At any time you can obtain a list of the commands used to edit the key with the "help" command.Quotegpg> helpquit quit this menusave save and quithelp show this helpfpr show key fingerprintlist list key and user IDsuid select user ID Nkey select subkey Ncheck check signaturessign sign selected user IDs [* see below for related commands]lsign sign selected user IDs locallytsign sign selected user IDs with a trust signaturenrsign sign selected user IDs with a non-revocable signatureadduid add a user IDaddphoto add a photo IDdeluid delete selected user IDsaddkey add a subkeyaddcardkey add a key to a smartcardkeytocard move a key to a smartcardbkuptocard move a backup key to a smartcarddelkey delete selected subkeysaddrevoker add a revocation keydelsig delete signatures from the selected user IDsexpire change the expiration date for the key or selected subkeysprimary flag the selected user ID as primarytoggle toggle between the secret and public key listingspref list preferences (expert)showpref list preferences (verbose)setpref set preference list for the selected user IDskeyserver set the preferred keyserver URL for the selected user IDsnotation set a notation for the selected user IDspasswd change the passphrasetrust change the ownertrustrevsig revoke signatures on the selected user IDsrevuid revoke selected user IDsrevkey revoke key or selected subkeysenable enable keydisable disable keyshowphoto show selected photo IDsclean compact unusable user IDs and remove unusable signatures from keyminimize compact unusable user IDs and remove all signatures from key* The `sign' command may be prefixed with an `l' for local signatures (lsign), a `t' for trust signatures (tsign), an `nr' for non-revocable signatures (nrsign), or any combination thereof (ltsign, tnrsign, etc.).gpg> To add a signing subkey use the "addkey" command and enter your passphrase at the prompt.Quotegpg> addkeyKey is protected.You need a passphrase to unlock the secret key foruser: "Louis Cyphre (SR Test Key) "4096-bit RSA key, ID 7476C291, created 2012-06-28Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8 ) RSA (set your own capabilities)Your selection? You will see that the options are slightly different from the first "--gen-key" command. You can select option "3" for a DSA key or "4" for RSA here. We'll be sticking with RSA for this example.QuotePlease select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8 ) RSA (set your own capabilities)Your selection? 4RSA keys may be between 1024 and 4096 bits long.What keysize do you want? (2048) A signing subkey doesn't really need to be as large as the encryption keys, so we're going to leave it at the default.QuoteWhat keysize do you want? (2048) Requested keysize is 2048 bitsPlease specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n yearsKey is valid for? (0) Either set an expiration or not. An expiration can be modified later, but if other people have a copy that pre-dates modification then their parts of that key will expire. This example will use an expiration of 2 years.QuotePlease specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n yearsKey is valid for? (0) 2yKey expires at Sat Jun 28 21:07:25 2014 ESTIs this correct? (y/N) yReally create? (y/N) yWe need to generate a lot of random bytes. It is a good idea to performsome other action (type on the keyboard, move the mouse, utilize thedisks) during the prime generation; this gives the random numbergenerator a better chance to gain enough entropy.pub 4096R/7476C291 created: 2012-06-28 expires: never usage: SC sub 2048R/C257E199 created: 2012-06-28 expires: 2014-06-28 usage: S [ unknown] (1). Louis Cyphre (SR Test Key) gpg> Now we just need to do the same thing to create an encryption subkey. This time, though we are going to create a 4096-bit Elgamal subkey instead of usig RSA.Quotegpg> addkeyKey is protected.You need a passphrase to unlock the secret key foruser: "Louis Cyphre (SR Test Key) "4096-bit RSA key, ID 7476C291, created 2012-06-28Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8 ) RSA (set your own capabilities)Your selection? 5ELG-E keys may be between 512 and 4096 bits long.What keysize do you want? (2048) 4096Requested keysize is 4096 bitsPlease specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n yearsKey is valid for? (0) 1yKey expires at Fri Jun 28 21:16:30 2013 ESTIs this correct? (y/N) yReally create? (y/N) yWe need to generate a lot of random bytes. It is a good idea to performsome other action (type on the keyboard, move the mouse, utilize thedisks) during the prime generation; this gives the random numbergenerator a better chance to gain enough entropy.pub 4096R/7476C291 created: 2012-06-28 expires: never usage: SC sub 2048R/C257E199 created: 2012-06-28 expires: 2014-06-28 usage: S sub 4096g/124E119B created: 2012-06-28 expires: 2013-06-28 usage: E [ unknown] (1). Louis Cyphre (SR Test Key) gpg> Finally we need to save these modifications.Quotegpg> savebash-3.2$ By following these instructions you will end up with a key of comparable strength to mine. Except I did not set an expiration date on the subkeys, I prefer to revoke subkeys as I deem it necessary rather than be locked into a particular date.The result should be something like this:Quotebash-3.2$ gpg -k --fingerprint 7476C291pub 4096R/7476C291 2012-06-28 Key fingerprint = 89FF C1E9 BE69 5A46 7AEA A42D F730 9299 7476 C291uid Louis Cyphre (SR Test Key) sub 2048R/C257E199 2012-06-28 [expires: 2014-06-28]sub 4096g/124E119B 2012-06-28 [expires: 2013-06-28]bash-3.2$ Note: It is possible to create RSA and Elgamal keys larger than 4096-bit, but it is not recommended. Asymmetric encryption does not scale in the same way as symmetric encryption so there is a law of diminishing returns when creating larger keys. A table with the details is available here (clearnet):http://www.keylength.com/en/4/Hopefully you will find this of some benefit.