Getting started with Generate Keys — your first key pair, step by step

Generating a PGP key pair is a one-time decision that you live with for years. Most guides skip the choices and tell you to "just click generate". This one explains what each field actually does, so the defaults make sense and you can deviate when you need to.

Everything below happens entirely in your browser. The private key never leaves your device.

What you are creating

Two files, generated together as a pair. The public key (.asc) is the address you share — anyone in the world can encrypt to it. The private key (.asc) is the secret you keep — only it can decrypt messages sent to your public key. They are mathematically linked. Lose the private key and the messages are unreadable forever; leak it and your past correspondence is exposed.

Field 1 — Name and email

These go into the key as a "user ID" (UID), a human-readable label that travels with the public key. Pick whatever name and email you want others to see when they look up your key. The email does not need to be the address you actually use to send mail — UIDs are about identification, not delivery.

You can have multiple UIDs on a single key (work email, personal email, pseudonym). For a first key, one UID is fine. Real name + the email you most want associated with the key is the conventional choice.

Field 2 — Algorithm

The default is Curve25519. Take it. It is fast, modern, has small keys, and is the algorithm every current OpenPGP client supports. RSA-3072 and RSA-4096 are still on offer for older clients (some hardware tokens, some legacy email setups) — pick RSA only if a recipient or device specifically requires it. If you are uncertain, the default is correct.

There is a separate article on how the algorithms compare; this one assumes you are accepting the default.

Field 3 — Passphrase

The passphrase encrypts your private key file at rest. Without it, anyone who copies your .asc can decrypt every message you have ever received. It is the single most important security input.

Make it long. Five or six unrelated words from a dictionary (an "EFF passphrase") is far stronger than a short string of mixed case and symbols, and easier to remember. The Password Generator tool can produce one. Avoid anything you have used elsewhere — passphrase reuse is the most common cause of compromise.

Write it down somewhere physical the first time you set it. A passphrase you cannot recall is functionally identical to a lost private key.

Field 4 — Expiry

An expiry date does not destroy the key — it tells other clients that the key should no longer be trusted past that date. Setting one (1–2 years is conventional) gives you a graceful path to rotate keys without dramatic revocations. You can extend the expiry later if you decide to keep the key longer.

"Never expires" is also acceptable for casual use. The downside is that if you lose access without a revocation certificate, the world keeps thinking the key is good forever.

After you click Generate

You will see three downloads:

• Public key (.asc) — share this freely. Email it, paste it on your website, upload it to a keyserver. Anyone who wants to write to you needs this.
• Private key (.asc) — store this carefully. See the "Backing up PGP keys" article. Never email it. Never paste it into untrusted tools.
• Revocation certificate (.asc) — store this separately from the private key. If the private key is ever stolen or lost, publish the revocation so the world stops trusting the public key.

First-week checklist

1. Make at least one offline backup of the private key (encrypted USB or paper).
2. Store the revocation certificate in a different location from the private key.
3. Test that you can decrypt: encrypt a sample message to your own public key, then decrypt it with the private key.
4. Share your public key with one person and ask them to send you an encrypted hello.
5. Add the key fingerprint to your email signature or website so others can verify they have the right key.