twhalley.online
PGP from scratch
generate a key pair & send your first encrypted message
OS
Mode
1 What is PGP?

PGP (Pretty Good Privacy) is an encryption standard that lets you send messages no one else can read — not your ISP, not the mail server, not anyone without the right key.

Public key
Share this with everyone. People use it to encrypt messages to you.
Private key
Keep this secret. Only it can decrypt messages encrypted to your public key.
Fingerprint
A short hash that uniquely identifies a key — verify this before trusting any key.
Signing
Use your private key to prove a message came from you.

The tool you'll use is GPG (GNU Privacy Guard) — a free, open-source implementation of the PGP standard. The GUI apps below are frontends that use GPG underneath.

2 Install
Debian / Ubuntu
sudo apt update && sudo apt install gnupg
Arch / Manjaro
sudo pacman -S gnupg
Fedora / RHEL
sudo dnf install gnupg2

GPG is pre-installed on many distros — run gpg --version first to check.

Kleopatra
Debian / Ubuntu
sudo apt update && sudo apt install kleopatra
Arch / Manjaro
sudo pacman -S kleopatra
Fedora / RHEL
sudo dnf install kleopatra

Kleopatra depends on GPG and will pull it in automatically. Launch it from your app menu.

Requires Homebrew. Install GPG via:

Terminal
brew install gnupg
GPG Suite

Download and install GPG Suite from gpgtools.org. It includes GPG Keychain (key manager) and a Mail plugin for Apple Mail.

download GPG Suite

Open GPG Keychain from your Applications folder after installing.

Install Gpg4win — it includes gpg.exe for use in PowerShell / Command Prompt.

download Gpg4win

Or via winget:

PowerShell
winget install GnuPG.Gpg4win

After install, open a new PowerShell window and continue with the commands below.

Kleopatra

Install Gpg4win — Kleopatra is included in the default install.

download Gpg4win

Or via winget:

PowerShell
winget install GnuPG.Gpg4win

Launch Kleopatra from the Start menu after installing.

Verify the install:

gpg --version

You should see gpg (GnuPG) 2.x.x.

3 Generate your key pair

Run the interactive key generation wizard:

gpg --full-generate-key

Key type — choose (9) ECC (sign and encrypt) for modern elliptic-curve crypto. If not listed, use (1) RSA and RSA.

Curve / size — ECC: Curve 25519. RSA: 4096 bits.

Expiry0 for no expiry. A 1–2 year expiry limits damage if your key is compromised.

Name & email — use the address you'll receive encrypted mail at. This is public.

Passphrase — protects your private key on disk. Use a 4–6 word diceware phrase. Do not lose this.

Kleopatra
  1. Open Kleopatra
  2. Click File → New OpenPGP Key Pair
  3. Enter your Name and Email
  4. Click Advanced Settings
  5. Set key material to Ed25519 (signing) and Cv25519 (encryption)
  6. Optionally set an expiry date under Valid until
  7. Click OK, then Create
  8. Enter a strong passphrase when prompted — do not lose this
GPG Keychain
  1. Open GPG Keychain
  2. Click the New button in the toolbar
  3. Enter your Name and Email
  4. Check Upload public key after generation if you want it on keys.openpgp.org
  5. Under key type, choose EdDSA (Ed25519) for the best modern option
  6. Optionally set an expiry date
  7. Click Generate Key
  8. Enter a strong passphrase when prompted
Kleopatra
  1. Open Kleopatra
  2. Click File → New OpenPGP Key Pair
  3. Enter your Name and Email
  4. Click Advanced Settings
  5. Set key material to Ed25519 (signing) and Cv25519 (encryption)
  6. Optionally set an expiry date under Valid until
  7. Click OK, then Create
  8. Enter a strong passphrase when prompted

Your private key is stored in ~/.gnupg/ (Linux/macOS) or %APPDATA%\gnupg\ (Windows). Back it up securely. If you lose it, you cannot decrypt old messages.

4 View your key & fingerprint

List your keys to confirm everything was created correctly:

gpg --list-secret-keys --keyid-format LONG

You'll see output like this:

sec   ed25519/XXXXXXXXXXXXXXXX 2026-01-01 [SC]
      AABB CCDD AABB CCDD AABB  CCDD AABB CCDD AABB CCDD
uid           [ultimate] Your Name <you@example.com>
ssb   cv25519/YYYYYYYYYYYYYYYY 2026-01-01 [E]

The 40-character hex string is your fingerprint. Print it on its own:

gpg --fingerprint you@example.com
Kleopatra
  1. Your new key appears in the My Certificates tab
  2. Double-click it (or right-click → Certificate Details)
  3. The Fingerprint field shows your full 40-character fingerprint
GPG Keychain
  1. Click your key in the list
  2. The fingerprint is shown in the detail panel on the right
  3. Or right-click → Show Details for the full view
Kleopatra
  1. Your new key appears in the My Certificates tab
  2. Double-click it (or right-click → Certificate Details)
  3. The Fingerprint field shows your full 40-character fingerprint

Always share your fingerprint alongside your public key so recipients can verify they have the real one.

5 Export your public key

Export to an ASCII-armored file you can share:

gpg --armor --export you@example.com > mypubkey.asc

Or print directly to the terminal to copy:

gpg --armor --export you@example.com
Kleopatra
  1. Right-click your key in My Certificates
  2. Click Export
  3. Save the .asc file — this is your public key, safe to share
GPG Keychain
  1. Right-click your key in the list
  2. Click Export
  3. Make sure Include secret key in exported file is unchecked
  4. Save as mypubkey.asc
Kleopatra
  1. Right-click your key in My Certificates
  2. Click Export
  3. Save the .asc file — this is your public key, safe to share

Ways to share your public key:

Your website
Host it as a plain text file, e.g. /pgp.txt
Key servers
gpg --keyserver keys.openpgp.org --send-keys YOUR_FINGERPRINT
Email footer
Link to your /pgp.txt in every email you send
WKD
Web Key Directory — automatic lookup if your mail server supports it
6 Import my public key

To encrypt a message to me, you first need my public key in your keyring.

Fetch & import in one command
curl -s https://twhalley.online/pgp.txt | gpg --import
Fetch & import in one command
curl -s https://twhalley.online/pgp.txt | gpg --import
PowerShell
Invoke-WebRequest https://twhalley.online/pgp.txt -OutFile twhalley.asc
gpg --import twhalley.asc
Kleopatra
  1. Download my public key and save it as twhalley.asc
  2. In Kleopatra, click File → Import
  3. Select twhalley.asc and click Open
  4. The key will appear under Other Certificates
GPG Keychain
  1. Download my public key and save it as twhalley.asc
  2. Drag twhalley.asc onto the GPG Keychain window
  3. Or click File → Import and select the file
  4. The key will appear in your keychain list
Kleopatra
  1. Download my public key and save it as twhalley.asc
  2. In Kleopatra, click File → Import
  3. Select twhalley.asc and click Open
  4. The key will appear under Other Certificates

My public key (click to select all, then save to a file and import):

public key — twhalley@email.com
-----BEGIN PGP PUBLIC KEY BLOCK----- mDMEaEkWzBYJKwYBBAHaRw8BAQdAaxOk54LgEd0hl0IbpAPOmWepaCbmyNj8cJsI If4cxPm0I1Rob21hcyBXaGFsbGV5IDx0d2hhbGxleUBlbWFpbC5jb20+iJYEExYK AD4WIQRX72y7kyy4pdLWGclXvyQ+yDO9UgUCaEkWzAIbAwUJBaU25AULCQgHAgYV CgkICwIEFgIDAQIeAQIXgAAKCRBXvyQ+yDO9UikaAP91pFsZp7y0sm/y6B9V6UMH E92xcMnhOdtqv4jlS+TLmwD+MKRRWGR4Shrn/RWFruaT1+LjSqwr/+oN5TCdPEE8 xwW4OARoSRbMEgorBgEEAZdVAQUBAQdAGIApS5oRNTUM8DvNNxare3hWW0CbbvfD xD9yLTjp1ygDAQgHiH4EGBYKACYWIQRX72y7kyy4pdLWGclXvyQ+yDO9UgUCaEkW zAIbDAUJBaU25AAKCRBXvyQ+yDO9Uu1CAQDHDnWKgEc4sKYhrz1quUhYfwZ9znn0 9xSHKae9AtrE5QEA3HWi63CGhDzm4hJTpVrFRC042A0dKKpZJIKdHESpQg8= =sodl -----END PGP PUBLIC KEY BLOCK-----

Verify the import succeeded and check the fingerprint:

gpg --fingerprint twhalley@email.com

Verify the fingerprint — right-click the imported key → Certificate Details.

Verify the fingerprint — click the imported key in GPG Keychain to see details.

Verify the fingerprint — right-click the imported key → Certificate Details.

My fingerprint should read exactly:

57EF 6CBB 932C B8A5 D2D6  19C9 57BF 243E C833 BD52

Always verify fingerprints out-of-band. If what GPG / the app shows doesn't match the line above, discard the key and re-download it.

7 Encrypt a message

Write your message into a plain text file:

nano message.txt
nano message.txt
notepad message.txt

Save the file, then encrypt it to my address:

gpg --armor --encrypt --recipient twhalley@email.com message.txt

This produces message.txt.asc — the ciphertext. Open it and you'll see:

-----BEGIN PGP MESSAGE-----

hF4Dr7uXO/ql35MSAQdAjmTc...
[unreadable ciphertext]
-----END PGP MESSAGE-----

To also encrypt to yourself (so you can re-read it later):

gpg --armor --encrypt \
  --recipient twhalley@email.com \
  --recipient you@example.com \
  message.txt
Kleopatra
  1. Write your message in a text editor and save it as message.txt
  2. In Kleopatra, click File → Sign/Encrypt Files
  3. Select message.txt and click Open
  4. Check Encrypt — uncheck Sign if you don't want a signature
  5. Click Next
  6. Add twhalley@email.com as a recipient
  7. Click Encrypt
  8. Kleopatra creates message.txt.asc in the same folder
GPG Suite
  1. Write your message in a text editor and save it as message.txt
  2. Right-click message.txt in Finder
  3. Go to Services → OpenPGP: Encrypt File
  4. Select twhalley@email.com from the recipient list
  5. Click OK
  6. GPG Suite creates message.txt.gpg (or .asc) in the same folder

If Services isn't showing, go to System Settings → Keyboard → Keyboard Shortcuts → Services and enable the OpenPGP entries.

Kleopatra
  1. Write your message in Notepad and save it as message.txt
  2. In Kleopatra, click File → Sign/Encrypt Files
  3. Select message.txt and click Open
  4. Check Encrypt — uncheck Sign if you don't want a signature
  5. Click Next
  6. Add twhalley@email.com as a recipient
  7. Click Encrypt
  8. Kleopatra creates message.txt.asc in the same folder

Only someone with my private key (me) can read this — not your ISP, not the mail server, nobody else.

8 Send the encrypted email

Open message.txt.asc and copy the entire contents — including the -----BEGIN PGP MESSAGE----- header and -----END PGP MESSAGE----- footer. Paste it into the body of an email to: 

twhalley@email.com
open mail client

If you'd like a reply back encrypted to you, paste your public key at the bottom of the email:

gpg --armor --export you@example.com

Copy the output and paste it after the encrypted message block.

Export your public key (Step 5) and paste the contents of the .asc file at the bottom of the email.

That's it — end-to-end encrypted email. No app, no subscription, no central server controlling your keys.

9 Decrypt a reply

Save the encrypted reply block (including headers) to a file, then decrypt it:

gpg --decrypt reply.asc

GPG prompts for your passphrase and prints the plaintext. To save it to a file:

gpg --decrypt reply.asc > reply.txt
Kleopatra
  1. Save the encrypted reply to a file, e.g. reply.asc
  2. In Kleopatra, click File → Decrypt/Verify Files
  3. Select reply.asc and click Open
  4. Enter your passphrase when prompted
  5. Kleopatra saves the decrypted file alongside the original
GPG Suite
  1. Save the encrypted reply to a file, e.g. reply.asc
  2. Right-click the file in Finder → Services → OpenPGP: Decrypt File
  3. Enter your passphrase when prompted
  4. The decrypted file appears in the same folder
Kleopatra
  1. Save the encrypted reply to a file, e.g. reply.asc
  2. In Kleopatra, click File → Decrypt/Verify Files
  3. Select reply.asc and click Open
  4. Enter your passphrase when prompted
  5. Kleopatra saves the decrypted file alongside the original

Verify a signature

If someone signs a message, verify it with:

gpg --verify signed_message.asc

You must have the sender's public key imported. GPG reports Good signature or Bad signature.

In Kleopatra, use File → Decrypt/Verify Files — it handles both decryption and signature verification automatically.

Right-click the signed file in Finder → Services → OpenPGP: Verify Signature. GPG Suite reports the result in a dialog.

In Kleopatra, use File → Decrypt/Verify Files — it handles both decryption and signature verification automatically.

Going further

Upload to a key server

gpg --keyserver keys.openpgp.org --send-keys YOUR_FINGERPRINT

In Kleopatra: right-click your key → Publish on Server.

In GPG Keychain: right-click your key → Send Public Key to Key Server.

In Kleopatra: right-click your key → Publish on Server.

keys.openpgp.org requires email verification and supports key deletion — a privacy-respecting choice.

Create a revocation certificate

gpg --gen-revoke you@example.com > revoke.asc

In Kleopatra: right-click your key → Generate Revocation Certificate. Save the file somewhere safe and offline.

In GPG Keychain: right-click your key → Export Revocation Certificate. Save it somewhere safe and offline.

In Kleopatra: right-click your key → Generate Revocation Certificate. Save the file somewhere safe and offline.

Anyone with your revocation certificate can revoke your key. Store it offline. If your private key is ever compromised, upload this cert immediately.

GPG in your email client

Thunderbird
Built-in OpenPGP support since v78 — no plugin needed.
Mutt / NeoMutt
Native GPG integration via ~/.muttrc.
Apple Mail
GPG Suite installs a plugin that adds encrypt/sign buttons.
Outlook / Gmail
No native support — paste ciphertext manually as shown in Step 8.