Note: this is made from a fake account, so there will be differences, i.e. nuck is the fake username, and nucky is the fake name used for this tutorial.

As always, we will assume that we are starting off from the home directory.

To make a key, use the following command:

 gpg --gen-key

You will be asked for the following

 nuck@riviera:~$  gpg --gen-key
 gpg (GnuPG) 1.4.3; Copyright (C) 2006 Free Software Foundation, Inc.
 This program comes with ABSOLUTELY NO WARRANTY.
 This is free software, and you are welcome to redistribute it
 under certain conditions. See the file COPYING for details.
 gpg: directory `/home/nuck/.gnupg' created
 gpg: new configuration file `/home/nuck/.gnupg/gpg.conf' created
 gpg: WARNING: options in `/home/nuck/.gnupg/gpg.conf' are not yet active during this run
 gpg: keyring `/home/nuck/.gnupg/secring.gpg' created
 gpg: keyring `/home/nuck/.gnupg/pubring.gpg' created
 Please select what kind of key you want:
 (1) DSA and Elgamal (default)
 (2) DSA (sign only)
 (5) RSA (sign only)
 Your selection?

The default is fine, so select that.

 Your selection? 1
 DSA keypair will have 1024 bits.
 ELG-E keys may be between 1024 and 4096 bits long.
 What keysize do you want? (2048)

Again, the default is fine. If you make your key too long, it can take a long time to encode your message.

 Requested keysize is 2048 bits
 Please specify how long the key should be valid.
 0 = key does not expire
 <n> = key expires in n days
 <n>w = key expires in n weeks
 <n>m = key expires in n months
 <n>y = key expires in n years
 Key is valid for? (0)

Yet again, the default is fine (you can change it later if you wish).

 Key does not expire at all
 Is this correct? (y/N)

If you are happy, enter 'y' and press enter.

You'll be asked for your real name in a prompt like:

 Is this correct? (y/N) y

You need a user ID to identify your key. The software constructs the user ID from the Real Name, Comment and Email Address in this form:

 "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
 Real name:

Here, I've filled out my own test gpg data:

 Real name: Nucky
 Email address: nuck@compsoc.nuigalway.ie
 Comment:
 You selected this USER-ID:
 "Nucky <nuck@compsoc.nuigalway.ie>"
 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

If you're happy, select 'O'.

Now, you'll be asked to enter a pass phrase. Be sure to think of something that is hard for a machine to think of, such as alternating lowercase and uppercase letters, number, symbols, etc.

The server will now generate random(ish) bytes. It'll take a long time, so be patient.

So, after all that you'll be given something like:

 gpg: /home/nuck/.gnupg/trustdb.gpg: trustdb created
 gpg: key 91B4BAB5 marked as ultimately trusted
 public and secret key created and signed.
 gpg: checking the trustdb
 gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
 gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
 pub 1024D/91B4BAB5 2007-12-03
 Key fingerprint = 1AA1 376E 850E 1A6D 5935 845F 3CF2 9036 91B4 BAB5
 uid Nucky <nuck@compsoc.nuigalway.ie>
 sub 2048g/8B7CDEDB 2007-12-03

The segment

 91B4BAB5

is the “short fingerprint”, and we'll talk about it later.

We'll need to make a public long fingerprint and long armoured text. I'll use fingerprint as the fingerprint file and public.key for the long key file.

So, for the fingerprint file we'll use:

 gpg --fingerprint > fingerprint

If you view the file, you'll see something like:

 nuck@riviera:~$  cat fingerprint
 /home/nuck/.gnupg/pubring.gpg
 -----------------------------
 pub 1024D/91B4BAB5 2007-12-03
 Key fingerprint = 1AA1 376E 850E 1A6D 5935 845F 3CF2 9036 91B4 BAB5
 uid Nucky <nuck@compsoc.nuigalway.ie>
 sub 2048g/8B7CDEDB 2007-12-03

To make the public.key, we'll use the following:

 gpg --export --armor > public.key

When you view the file, you should get something like:

 nuck@riviera:~$  cat public.key
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1.4.3 (GNU/Linux)
 mQGiBEdUiJwRBACdf9HoSw6hDaPQRDG2TOi07O1xt5ouEs2evIAF3wNsbfTpE3JG
 BJPhusO4zGoBgUDIPKDupEcjgUjVbaCQAQGRZ/16BK2kAs4D03waN7ujGMmCwCrs
 4VV1X71OVlXHHJIwMxw43AziLr8sRuZzHu27IH+DvSK0obsoOI1iO3w6cwCgqMbK
 Ab2LnRMRyU777sKke4Uk5tEEAJiPRHpdsZEoTOr0mT4yehI40/VJAeG1t0NVtpVE
 ph5tyISs8aV1cCZnXgsSuAilXQNVIc4M1t9kiddHk4lbAC6IgHIkbbC5+/z7oGsU
 jHRAiJ1z+FeJThuVmYPy/3/wuXbkc+UETR5cmFQOD1d6aTAy3GWW6lXrCzlUg00J
 xs0TA/4tTXTPjEnC3pUM1PEahXq5/qpBsRXqZPWtZ7FUGHGuAEJsC2B2/OxgjTD9
 gf1acWW5qfP76vEIACyhKJ5tGQEsXVWOkjusS3o1XOqeZrUTabmB8EnAx95YXtiJ
 g9CAkiLR+ncHC2i07WElXdBuZKt12YTiOu6gXXWtODmPXWQ0M7QhTnVja3kgPG51
 Y2tAY29tcHNvYy5udWlnYWx3YXkuaWU+iGAEExECACAFAkdUiJwCGwMGCwkIBwMC
 BBUCCAMEFgIDAQIeAQIXgAAKCRA88pA2kbS6tck6AJ49+nBE6gKfy7APOCZGGAA+
 SoM0RwCdFmPuYobXwtWX75x1NwYUTPILOtm5Ag0ER1SInxAIAMhjx/WmQNpiRAeQ
 EhRcJ2z8NYZQstOpXUR0sTZSuCrE4YO2669tHAfuwdz9OsJMt0BEh4UwPJ0FjFw0
 fXCUdTg5mhnu3iAojH2G4D5fskIBI+0CP8fAogWHExHBUcG3capHuike7FBIUukq
 ku2yZ0zW96GxwUkli0itE51ku1HguJMJkpn20tTycteCnEWFiFJ7WBMpgmGn/ut5
 bMMcnqR3ocH4/CA9LfqHzsx0D7Hs2sQnpmQzCT7Z3Z7roesCifaTp5NIij+Yidc4
 HX/ZoVabU09gNOk60QdAjMU6b7S+VoN8fOl/wv040wueJ49YekdW+HwOqgBmW9Bw
 lJxzIVcAAwUH/1uoV59AhxrJNipwasa4bOUoBEDLcxHLBOlbGcg21KMfpcaSc6BK
 qvemzTcjvjm62JhHSESVkX18eqDEg10D9iGHXopTb5Ddetm81dnosSzkg5mrrbgm
 tRxdWbgqJqzjY2PNi6PsOb8KR3Vl7pTGmKp8ENqSnl8c2S5KzQ8NFv0oPHrUXTGv
 Y4kpXV56FlKl+8pngIoMl2hj4mU5idJ/E/r72n9usHd9Uk+ESm5CCsJBqlrDngww
 7jxT5ffIIzyhr/OFdCeUWbhCfGReQLJkv+F/jER6xwPaoTMrV2xoUWF0NqpCz1jc
 klZor6EtOvHadlOSFRB8UzNALmXGMnubX2qISQQYEQIACQUCR1SInwIbDAAKCRA8
 8pA2kbS6tduzAJwNr7vhg+neFUrrm3/LsW0ExdaS0gCgqL434RAoPpsYTD+VIGxQ
 m60LjvE=
 =MeiD
 -----END PGP PUBLIC KEY BLOCK-----

It's best to keep the fingerprint and public.key in your public_html folder.

So we have the key made, let's upload it to a keyserver. There are two schools of thought about uploading your public key to a key server. One is that you should upload it – as it adds to the ease at which other people can verify your key – and the other is that it reduces security. I'll show you how to upload it anyway and, if you want to keep it private, you can.

Remember the short fingerprint from earlier, the 91B4BAB5? That's what we'll upload to the keyserver.

 gpg --keyserver subkeys.pgp.net --send-keys 91B4BAB5

And away it goes. To confirm, you can download your key from the keyserver using:

 gpg --recv-keys 91B4BAB5

But wait, what if I forget my passphrase/my account is hacked/my key is compromised?

We'll create a revoke key, that will kill your current key from the keyserver and tell everyone who refreshes their keylist regularly that your old key is no longer to be used:

 gpg --gen-revoke 91B4BAB5

Select 'y', then give a reason (I'm choosing 1), enter description, and 'y' again. After entering your passphrase for your key, you'll be given a revoke certificate.

Print it out, and store it safely!

Now, after all that fun, we'll finally get to adding keys to your keyring.

First, I'll show you how to get keys from the keyserver of someone you know's short fingerprint and publickey.

Short Fingerprint
If someone has given you their short fingerprint, either online, in person (recommended), or some other means (fax!), you can search for them in the public key server.

 gpg --recv-keys 5470C9D7

Doing so will import their (in this case, my proper gpg-key) public key into your keyring.

Public Key
You can import files or just copy and paste like here. To end the final line, use Ctrl-D.

 gpg --import
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v1.4.3 (GNU/Linux)
 mQGiBEdFiOcRBADW4f4Wu3/T394hZ3IW0NrETxrApB1bjjV3ZlrV010cyRn7TdH4
 Wz2EGrI6R/+77QCpniIdHA/gybLJf6ePKUAoY477aSaTYKJbwKxL2s7b2EtRhKCf
 f/xDjk/vOlqnow0wed74gmE32FzbXfizw6Gpey+uL4tsU4eDy1Gmp/Xw+wCgjxoq
 Zvi5FrNN0SzXK6cq/Anlj70D+gJBHZK8+iQF+T5A68zeIgLuX4O9ooj3zPy6WbA3
 SSU8H2LB9guqx8lJd54E0ka7Gr0+85dmM31wmrsvmRlY4Kc/PaUwOssTXsaP2/4o
 sHnCatIQ2WWc/YHA/qu7Q7hoYj2kN//+u2+VAt/OB2G1ke65Ab9kcwkrN+eq2yl5
 pXaoA/0aRxH1XO/8ZfobPjuUvkWOX3HqpQgR/4SJoAVMf5Y7no/rie1qZsAxCipv
 1+WN7/SjOlBi0SRk2I0elegLLf17m7uYVos6K4AaC6GG2U8cQJ+BTsv+Z7r3CcQy
 XmfICELvArYQDMenpOfQ4aXYBXojZpB3lAMRaAL3RBRjGots4rQxTmljaG9sYXMg
 R2VvZ2hlZ2FuIDxudW1iZXI2QGNvbXBzb2MubnVpZ2Fsd2F5LmllPohgBBMRAgAg
 BQJHRYjnAhsDBgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQD7YtDFRwyddR6gCf
 chSSeqCn+fj9Nte6AO01QXxcMywAnjqFLET2kMiz/wYpjw4wK2PY5FL4uQINBEdF
 iPAQCAC/Nh/nViyWeWciABAkp2jg6WaCEdJDb2TGwD750saHJLsotTE9gas+JFKm
 Wc7J7brtDdfzMFKSFW8HObiazTKGm6F/nT0aO8VB9pTcW7nDovH2e4ZdTJLLJBJ2
 fWxl1Xzs5Tc6pNMqcSbRGHddyud1/p5E9LVzKDOoH1wN9n1ITCsSLb+MemdyR5N/
 IGWmcMKGr9IRIXRtUz3Pb4w9bbxB6ZhjBBSa1BiQcCSzLdnNElRa676p9Z9KbvEg
 xlzp2wsuQS7j9dYJ4vjDpGVy0/YxWnjW3g4mXWtutomOk60s3x2J8l5nWpN+9nLo
 OJvBmYo0868W9UjjuE/XBufpw+MLAAMFB/4xkWrDEfZF6aGJ9um3p8sESpAALx3c
 B09BrX8wRyY0UxNRYbJNfxfSTUYUZJd38H2Izc8HPkRvzizjjoz/xycGglt/AnBm
 fEjEFYyU1FAEOOk/hGkczaHA3mqoy2/RjVv99fe8/4B4PO/6k9rBFg7V2MCjJ8Jc
 bz4YzaHjgUg9cv7kJcb3xmgHg6qJonyaXT1MOQcIqdHRAUN7ZCP5fwLD+7NYjWtb
 Vod53acwOQkZLFQBi6uK5D3keK+M11lEUY2+N3tVSghxCFkoNOlmOSZUitppRDZ1
 7vlOYvHumY96wLo3KqgmappI9GNY8DymohBt7hIKDrc4Jcl1lC/DW/SPiEkEGBEC
 AAkFAkdFiPACGwwACgkQD7YtDFRwydfa5ACaAhL9oLkDz+f7SGZS4sxJa3Il468A
 n09gzwviknwiQssbm273BDd6T1ra
 =Mjw6

Now we have the key we wanted to import, let's assign it a trust rating.

All the editing of keys, including your own, used the:

 gpg --edit-key

command but, to list all the keys you have, you'll need to issue this command:

 gpg --list-keys

My key ring gives:

 nuck@riviera:~$  gpg --list-keys
 /home/nuck/.gnupg/pubring.gpg
 -----------------------------
 pub 1024D/91B4BAB5 2007-12-03
 uid Nucky <nuck@compsoc.nuigalway.ie>
 sub 2048g/8B7CDEDB 2007-12-03
 pub 1024D/5470C9D7 2007-11-22
 uid N Geoghegan <number6@compsoc.nuigalway.ie>
 sub 2048g/8159DFB2 2007-11-22

Nucky is the private key and 5470C9D7 is the key I want to edit.

So, back to the edit-key command:

 gpg --edit-key 5470C9D7

This outputs something similar to:

 
 nuck@riviera:~$  gpg --edit-key 5470C9D7
 gpg (GnuPG) 1.4.3; Copyright (C) 2006 Free Software Foundation, Inc.
 This program comes with ABSOLUTELY NO WARRANTY.
 This is free software, and you are welcome to redistribute it
 under certain conditions. See the file COPYING for details.
 pub 1024D/5470C9D7 created: 2007-11-22 expires: never usage: SC
 trust: unknown validity: unknown
 sub 2048g/8159DFB2 created: 2007-11-22 expires: never usage: E
 [ unknown] (1). N Geoghegan <number6@compsoc.nuigalway.ie>
 Command>

The commands you can use are as follows:

• help - lists all commands
• save - save changes and quit
• quit - quit, prompts to ask if you want to save changes
• fpr - show fingerprint
• list - show details about the key
• sign - this is among the most important commands. With it you say that you believe that a key is really belonging to its owner. You must select the level to which you have checked the owner's identity. After signing, you should use

 gpg --send-key

to upload the key to a keyserver

• trust - this is also an important command. With it, you select how much you trust others to verify the identity of keys. Ultimately, trust should never be used. Marginal/full are generally used.

   gpg --check-trustdb
  

  should be run after this to update your web of trust.

In this example, I know 5470C9D7 so I'll sign his key.

 sign 5470C9D7

I'll be asked whether I really want to sign and then for my passphrase. After that, I'll have signed his key.

Next, we'll go onto trust. How well do you trust the person? I suggest that you only “marginally” trust them as it's safer. So, to trust the key 5470C9D7 we'll use:

 trust 5470C9D7

And I'll select marginally from the options. To quit, just type:

 quit

There, you've just signed your first gpg key. They're now in your keyring and all emails in mutt from them will be recognised as valid signatures and will be able to be decrypted.

So, finally, we get to configure mutt to use gpg to autosign your emails. Again, like before, I'm assuming you're in your home directory.

First create a .muttrc file and then add the following lines to it:

 set pgp_autosign=yes
 #this auto signs tyour outgoing mail
 set pgp_timeout=1800
 #remembers your password for 1800 seconds
 my_hdr X-GPG-Key: http://www.compsoc.nuigalway.ie/~username/public.key
 #where your gpg key is available, this key points to public.key in your webspace
 set move=no
 #this is optional, it gets rid of mutt asking to move your read meassages
 set editor = nano
 #this is also optional, it uses the nano text editor which is easier to use

Signing, encrypting and decrypting mail all require your passphrase. Ctrl-F will wipe your passphrase from memory.

Viewing Mail
Once your Muttrc is configured, GPG will automatically be called to verify any signed/encrypted mail.

Composition
In the compose menu (where you normally press 'y' to send a message) you can press 'p' to bring up the PGP menu. This displays:

 (e)ncrypt, (s)ign, sign (a)s, (b)oth, or (f)orget it?

This allows you to encrypt and sign mail. If you set pgp_autosign (as above), all mail will be signed by default.

To encrypt a mail to someone, you must have a copy of their public key.