Home » Wiki » How to Generate PGP Key Pair in Windows, Mac OS, Linux

How to Generate PGP Key Pair in Windows, Mac OS, Linux

by Priya Mervana | Last updated Apr 21, 2026 | Encryption

Generate PGP Key Pair

Verified by Priya Mervana - Last reviewed: April 2026 | Based on 10+ years of web security and encryption research at SSLInsights.com.

QUICK DEFINITION

A PGP key pair consists of two mathematically linked keys: a public key you share freely so others can encrypt messages to you, and a private key you keep secret to decrypt those messages and sign your own communications. The pair works together - anything encrypted with one key can only be decrypted by the other. No one holding only your public key can read your messages.

Source: Priya Mervna, SSLInsights - web security expert, 10+ years

Generating a PGP key pair takes under five minutes on any operating system. Run gpg --full-generate-key in your terminal, choose RSA 4096-bit, set a strong passphrase, and you have a public/private key pair ready for encrypting emails and files. This guide covers the exact steps for Windows, macOS, and Linux, plus what to do with your keys once they exist.

The global email encryption market reached USD 9.34 billion in 2025 and is growing at 15.68% annually, according to the Research and Markets global email encryption forecast (2025). PGP remains a primary technique alongside TLS and S/MIME for organizations that need to secure PGP key pair for email encryption at the individual level - outside the enterprise gateway.

What Do You Need Before Generating a PGP Key Pair?

Three things are required before running any command:

  • GPG software installed for your OS - Gpg4win for Windows, GPG Suite for Mac, or the gnupg package for Linux
  • A strong passphrase - at least 20 characters, not based on dictionary words or personal information
  • An email address to associate with the key, which identifies you to anyone who imports it

No account registration, no certificate authority, and no cost.

Also Read: Best Practices for Email Encryption to Keep Your Messages Safe

How to Generate a PGP Key on Windows

Windows users generate PGP keys through Gpg4win, which packages GnuPG with a Windows-native interface and full command-line tools.

  1. Install Gpg4win - download from gpg4win.org. During setup, confirm command-line tools are selected alongside the Kleopatra graphical interface.
  2. Open Command Prompt - press Win + R, type cmd, hit Enter.
  3. Start key generation - gpg --full-generate-key
  4. Select key type and size - choose option 1 (RSA and RSA), then enter 4096 for key size. As noted in the GnuPG LargeKeys wiki, GnuPG's default moved to 3072-bit RSA from version 2.2.22 onward - choosing 4096 gives a larger security margin for long-lived personal keys.
  5. Set expiration - press Enter for no expiry, or type 2y for a two-year validity period. A key with an expiration date limits exposure if it is ever lost or compromised.
  6. Enter your identity - type your real name, email address, and an optional comment. This information is embedded in your public key.
  7. Create your passphrase - choose 20+ characters. This is the only protection on your private key if someone accesses your machine.
  8. Generate entropy - move your mouse and type randomly as prompted. This randomness seeds the key generation.
  9. Export your public key (share with others): gpg --armor --export YOUR_EMAIL
  10. Back up your private key (store offline, never share): gpg -o private.key --export-secret-keys YOUR_EMAIL

How to Generate a PGP Key on macOS

The macOS process uses GPG Suite, which installs cleanly and provides both Terminal commands and a visual keychain manager called GPG Keychain.

  1. Install GPG Suite - download from gpgtools.org. The suite includes the underlying GPG command-line tools.
  2. Open Terminal - Finder → Applications → Utilities → Terminal.
  3. Start key generation: gpg --full-generate-key
  4. Choose RSA, option 1, then enter 4096 for key size.
  5. Set expiration - press Enter for no expiry, or enter a period like 1y.
  6. Enter your name and email to identify the key.
  7. Create a strong passphrase - 20+ characters, not a recognizable phrase.
  8. Generate entropy by moving your cursor as instructed.
  9. Export your public key: gpg --armor --export your.email@address.com
  10. Back up your private key:gpg -o private.key --export-secret-keys your.email@address.com

Store the private.key file on an encrypted USB drive kept offline.

How to Generate a PGP Key in Linux

Linux makes PGP key generation straightforward via GnuPG, available in every major distribution's package manager.

  1. Install GnuPG:
  • Debian/Ubuntu: sudo apt install gnupg
  • RedHat/CentOS: sudo yum install gnupg2
  1. Start key generation: gpg --full-generate-key
  2. Select RSA, option 1, then 4096 for key size.
  3. Enter your name and email.
  4. Create a strong passphrase.
  5. Generate entropy by moving your mouse as prompted.
  6. Export your public key: gpg --armor --export your.email@address.com > public.key
  7. Back up your private key: gpg -o private.key --export-secret-keys your.email@address.com

What PGP Key Size Should You Use - RSA 2048 vs 4096?

RSA 4096 is the right choice for new keys generated today. The performance difference on modern hardware is negligible, and the security margin is meaningfully larger for data that needs to stay protected for years.

NIST Special Publication 800-57 Part 1 Rev. 5 classifies RSA key security as follows:

Key Size Equivalent Symmetric Strength Secure Through (NIST estimate)
RSA 2048 112-bit symmetric Acceptable through ~2030 only
RSA 3072 128-bit symmetric Beyond 2030 (preferred minimum)
RSA 4096 ~140-bit symmetric Well beyond 2030

RSA 2048 meets the current 112-bit minimum but becomes the floor - not the recommendation - after 2030 per NIST guidance. For personal and professional use where encrypted data may remain sensitive for years, RSA 4096 is the practical default.

A common mistake is assuming the FAQ advice from older GnuPG versions still applies. Since version 2.2.22, GnuPG's own default shifted to 3072-bit. Choosing 4096 when generating manually gives you the additional margin that the GnuPG wiki confirms as the current upper recommended limit.

Priya Mervana
Verified Web Security Expert | SSLInsights.com

"The passphrase question is where most people underestimate their risk. I consistently see users choose passphrases under 12 characters, often based on a word or a name. If your machine is ever physically accessed or your key file is copied, that passphrase is the only barrier between your private key and someone else using it. Twenty characters minimum - and make it something only you could construct."

How to Import and Share PGP Public Keys

Once your key pair exists, you can start encrypting communications with others.

  1. Get their public key - ask them to export it and send it to you, or search a public keyserver like keys.openpgp.org.
  2. Import their key into your keyring: gpg --import their_public_key.txt
  3. Encrypt a message to them using the how to encrypt email with PGP workflow: gpg --encrypt --recipient their.email@address.com message.txt
  4. Share your public key by exporting it, emailing it directly, or submitting it to a keyserver. Your public key is meant to be public - sharing it widely is correct behavior.

Internal links to related guides: learn how asymmetric encryption works at the protocol level, and review best practices for email encryption to apply PGP correctly in your workflow.

PGP Key Management Best Practices

Good key generation is only the start. How you manage keys determines how secure your communications remain over time.

  • Generate keys on a secure, offline machine - avoid shared or public computers
  • Use a passphrase of 20+ characters; avoid real words and patterns
  • Back up your private key to an encrypted USB drive in a physically secure location
  • Set an expiration date and renew proactively - this limits exposure if the key is ever compromised
  • Submit your public key to a keyserver so contacts can find and verify it
  • Revoke old or compromised keys immediately using a revocation certificate - generate this at key creation time
  • Consider using subkeys for day-to-day operations, keeping your master key offline

Priya Mervana
Verified Web Security Expert | SSLInsights.com | 10+ years in SSL, Encryption & Online Privacy

PRACTITIONER’S NOTE

One pattern I see repeatedly: people generate their PGP key correctly, export the public key, and then store the private key backup in the same cloud folder they use for everything else. A private key file in an unencrypted cloud sync folder - even named something obscure - is not a backup. It is a liability. The only acceptable storage for a private key backup is an encrypted drive kept physically separate from your daily machine. If that feels like overkill, consider what the private key actually protects: every encrypted message you have ever received.

– Priya Mervana | Verified Web Security Expert, SSLInsights.com

After generating your key pair, the next practical step is understanding where PGP fits within a broader encryption strategy. Review how public-key cryptography works at the protocol level and how PGP compares to public vs private key frameworks used in TLS and code signing.

Frequently Asked Questions About PGP Key Generation

What Is a Passphrase, And Why Is It Important For PGP?

Your passphrase protects your private key file. Without it, anyone who copies your private key file can decrypt your messages and forge your signatures. Use at least 20 characters, mix letters, numbers, and symbols, and avoid anything tied to personal information. This single decision determines how secure your entire PGP setup remains.

What Is the Best PGP Key Size - RSA 2048 Or 4096?

For new keys generated today, RSA 4096 is the right choice. NIST SP 800-57 places RSA 2048 as secure only through approximately 2030. If your encrypted data needs to stay protected beyond that window - or you want a larger margin against future cryptographic advances - 4096-bit is the practical default. The performance overhead is negligible on current hardware.

What Happens If I Lose My PGP Private Key?

Any data encrypted to your associated public key becomes permanently inaccessible. No recovery path exists - this is by design. Keep an offline backup of your private key in at least two separate physical locations. Generate a revocation certificate at key creation time and store it separately; you will need it to inform contacts the key is no longer valid.

How Often Should I Rotate My PGP Keys?

Most security practitioners recommend generating new keys every one to two years and revoking the old ones. If you set an expiration date at creation - which is recommended - your keyring software will prompt you before expiry. Rotate immediately if you suspect a compromise or if your passphrase may have been exposed.

Can I Use the Same PGP Key Pair Across Multiple Devices?

Yes - export your private key once and import it on each device you use. The risk is that more copies exist, so every device must have full-disk encryption and a strong login password. Many security-focused users generate subkeys per device and keep the master key offline.

Can I Decrypt PGP Messages Without the Private Key?

No. PGP encryption is designed so that only the matching private key can decrypt what the public key encrypted. There is no master key, no backdoor, and no vendor-assisted recovery. This is the property that makes PGP genuinely private - and why private key backups are non-negotiable.

Related Articles: