Pretty Good Privacy - Creating Your First Keys

Starting with a test key to practice with

by Edward Langenback

© 10/29/03

Congratulations! You have just completed successful installation of PGP v6.5.8. Now we will walk through the process of creating a PGP keypair.

Once the computer has completed restarting and you are once again looking at your desktop, take a look in the system tray next to the clock. You will see an icon that looks like a padlock. If you hold your mouse pointer over it a message will appear: 'PGPtray'. Click on the padlock icon and then click on "PGP Keys". The PGP key manager window will start to appear. Because at this point you do not yet have a PGP key, the key generation wizard will appear. Click <Next>

Enter a user name and an email address to associate the new key with. In this practice run, enter the name Test User and the address and then click <Next>

The Key pair type window is next. Here you have to select between a Diffie-Hellman/DSS key pair and an RSA key pair. *NOTE* Users of JBN2 will need to remember nym servers and remailers use RSA key pairs only. (Note: As of this writing DH/DSS keys are beginning to come into use on some remailers, but for the time being RSA keys are better for compatibility with more remailers) For this example, choose RSA and then click <Next>

On this screen you choose the size of your key pair. There are only two things that I can say about what is a good size: a) The larger the key size the stronger the encryption. And b) JBN2 users will want to use 2048 bit key size because that's what most nym servers and remailers are expecting. My own personal use key is a 4096/1024 bit DH/DSS key pair and I also have a 2048 bit RSA key for use with JBN2. For this example we'll pick 2048 and click <Next>

Key pair expires: On this screen you choose if you want your key pair to expire or be valid indefinitely. For this case, we'll choose "Key pair never expires". If there is a time when you want a key to be valid only for a limited time, you would choose "Key pair expires on" and click the drop down box next to it and select a date on the calendar that pops up. For most keys however, it is better to not have an expiration date on the key. If need be, you can always revoke the key if you ever need to make it unusable. Click <Next>

PassPhrase entry screen. Here you will enter the passphrase that you want to use with this key pair. A passphrase can be anything you want, and as long as you want, but USE CAUTION in choosing a passphrase! YOU MUST be able to remember it. You must be able to type it exactly right and it IS case sensitive: "pass phrase" and "Pass PhraSE" are *>NOT<* the same! A passphrase should also be at least eight characters long, preferably longer. The 'Passphrase Quality' meter gives an excellent gauge of how good your chosen passphrase is. Using a mix of numbers, letters (using uppercase and lowercase), special characters (!@#$%^%&*.,;:) and spaces. One example of a really good passphrase would be l23@KLv^9j3$93l43j*&l3D#W/3nh.5j32jkj, but this would be difficult to remember. Each user has to strike their own balance between 'hard to crack' and 'easy to remember'. Now! is the time 18284 for all good men# also would make an excellent passphrase and has the advantage of being a lot easier to remember.

Another thing to remember is that if a passphrase is lost or forgotten, it can NEVER be recovered! Calling the Tech support folks at Network Associates won't help. There is absolutely NO way to recover a lost passphrase except to remember it!

With this in mind, we'll use a simple one for this test key: 'test passphrase' (without the quotes and with the space, both words in all lowercase). Type it into the passphrase box and again into the confirmation box and click <Next>. If the entries in the passphrase and confirmation boxes are not the same, you will be prompted to try again. You will notice that the 'Pasphrase Quality' meter only goes about halfway across, meaning that this passphrase is useable, but not really a very good one. For a keypair that you intend to actually use, you might want to consider a better passphrase, however with this test key it doesn't matter.

Now you will see the key generation screen, which is a cute little lightbar going back and forth to give us something to look at while we wait for the key pair to be created. When it is finished, click <Next>

On this screen you are prompted to send your key to the keyserver. For now leave this box un-checked and click <Next>

The key generation wizard is now complete and you have a new set of pgp keys. Click <Finish>

Close the PGPKeys window. You will be prompted to make a backup of your keyrings. Since lost keyrings means lost data and messages, we'll do that. Click <Save Backup Now> A standard file save box opens with the default name of your public keyring 'pubring.pkr' Find or create a folder to save a backup copy of your keyrings in and click <Save> Repeat this for your private keyring 'secring.skr'.

It is a good idea here to mention that lost keyrings mean lost data, and one of the best things you can do to prevent this is by making backup copies of your keyrings whenever you make changes or create a new key. The best policy would be to keep your backup keyrings on a floppy or other removable media and then keep that stored in a safe place. This way in the event of a complete system crash (we ARE talking about Windows here!) you still have your keyrings.

You've now created your first set of PGP keys. Next we'll walk through a few quick examples of how to use it.