These step-by-step instructions assume that you have installed a copy of GnuPG on your personal computer. GnuPG for a wide variety of operating systems can be downloaded from here. GnuPG is available on toast (the Compsoc Linux box) but I strongly advise you not to risk using it on a multi-user system where your control files are trivially vulnerable to compromise.
The instructions are based on GnuPG for Linux -- if you use a version of GnuPG for a different OS then you'll need to follow the same instructions in general, but the commands to use and output generated may possibly be different in certain cases. For Windows users the commands and output are the same except where stated.
This guide was heavily based on a document written by V. Alex Brennen, to whom I am indebted.
1) Run GnuPG (the GNU Privacy Guard) to set up your GnuPG options:
[fpb@delirium](~) gpg
gpg: /users/fpb/.gnupg: directory created
gpg: /users/fpb/.gnupg/options: new options file created
gpg: you have to stat GnuPG again, so it can read the new options file
3) Make sure your .gnupg directory is only accessible to you (ideally, you want to keep your .gnupg on your own machine or, even better, on a floppy disk, rather than on a multiuser system, but if you can't do that this is the next best thing):
[fpb@delirium](~) chmod -R 600 .gnupg
3) Generate your GnuPG keys:
[fpb@delirium](~) gpg --gen-key
3a) Select the kind of key you want -- the default is fine:
Please select what kind of key you want:
(1) DSA and ElGamal (default)
(2) DSA (sign only)
(4) ElGamal (sign and encrypt)
(5) RSA (sign only)
Your selection? <return>
3b) Select your key size. The default key size is fine, but larger keysizes are slightly more secure.
DSA keypair will have 1024 bits.
About to generate a new ELG-E keypair.
minimum keysize is 768 bits
default keysize is 1024 bits
highest suggested keysize is 2048 bits
What keysize do you want? (1024) <return>
3c) Specify the lifetime of the key. An ideal time is 5 years.
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 5y <return>
Key expires at 14:00:05 17-Sep-2007 GMT
Is this correct (y/n)? y <return>
3d) Enter your primary name and email address.
You need a User-ID to identify your key; the software constructs the user id
from Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Fred Bloggs <return>
Email address: f.p.bloggs@durham.ac.uk <return>
Comment: <return>
You selected this USER-ID:
"Fred Bloggs <f.p.bloggs@durham.ac.uk>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O <return>
3e) Choose a pass phrase, and make it a good one. It should be long, very difficult to guess and most importantly something that you won't forget: if you forget your pass phrase, you can't recover your key. You can see some hints on choosing good pass phrases.
3f) Hit some random keys or do some operation in the background while GnuPG generates your keys: it needs some random bytes and these are generated partly from interrupts.
4) Modify your key if you want to, for example if you have multiple email addresses and you want to list them as valid on your key:
[fpb@delirium](~) gpg --list-secret-keys
/users/fpb/.gnupg/secring.gpg
----------------------------
sec 1024D/CO1BAFC3 2002-09-18 Fred Bloggs <f.p.bloggs@durham.ac.uk>
ssb 1024g/7A4087F3 2002-09-18
[fpb@delirium](~) gpg --edit-key CO1BAFC3
pub 1024D/CO1BAFC3 created: 2002-09-18 expires: 2007/09-17 trust: u/u
sub 1024g/7A4087F3 created: 2002-09-18 expires: 2007-09-17
Command> adduid <return>
Real name: Fred Bloggs <return>
Email address: fpb@compsoc.dur.ac.uk <return>
Comment: Compsoc account <return>
You selected this USER-ID:
"Fred Bloggs (Compsoc account) <fpb@compsoc.dur.ac.uk>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O <return>
Command> save <return>
5) Send your public key to a keyserver:
[fpb@delirium](~) gpg --keyserver pgp.mit.edu --send-key CO1BAFC3
gpg: success sending to `pgp.mit.edu' (status=200)
(If you are working inside the Durham network (or any other network enforcing the use of a proxy server) you will need to include the command line option --keyserver-options honor-http-proxy (or include the line keyserver-options honor-http-proxy in yout gpg.conf file) for keyserver interaction to work. This relies on having the http_proxy system variable set correctly (in Linux) or your Internet Options appropriately configured (in Windows).)
6) Send your public key information to me (only if you're going to be taking part in the keysigning party: if you don't do this, you can't participate):
[fpb@delirium](~) gpg --fingerprint CO1BAFC3 | mail n.g.boalch@durham.ac.uk
(Windows users: do gpg --fingerprint CO1BAFC3 > fingerprint.txt and copy & paste the resulting file into an email.)
7) Generate a revocation certificate for your key, in case you lose access to your private key for whatever reason (compromisal, seizure, forgotten pass phrase, media failure, whatever). You need to store your revocation certificate in a secure place, and should also print a hard copy.
[fpb@delirium](~) gpg --output revcert-asc --gen-revoke CO1BAFC3
8) That's it. Now you just need to turn up to the party; don't forget what to bring with you.