Generate public and private key (command line)

Updated 2 years ago by Jane

When ensuring Call Recording compliance, you will need two keys where private key is a secret key which should be protected and not shared with unauthorised personnel. Public key is, as its name suggests, open to everyone we want to collaborate - it is visible on Call Recording app > Settings.

You can create them with the `--full-gen-key` option like below.

First, let’s check the version of GPG on your system and some interesting tidbits. Run the following command.

gpg --version
Note: Some GPG installations on Linux (for example Linux Mint) may require you to use gpg2

You might need to install the latest GPG command line tools at

Create Your Public/Private Key Pair

  1. Use gpg --full-gen-key command to generate your key pair.
gpg --full-gen-key

  1. It will ask you what kind of key you want. Notice that there are four options. The default is to create a RSA public/private key pair and also a RSA signing key.
Please select what kind of key you want:

(1) RSA and RSA (default)

(2) DSA and Elgamal

(3) DSA (sign only)

(4) RSA (sign only)

Your selection? 1

  1. Next it asks you the key length. The default is 2048 bits long. 1024 RSA key is obsolete. The longer 4096 RSA key will not provide more security than 2048 RSA key. So hit Enter to select the default.
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

  1. After that it asks you how long the key should be valid, 2 years is fine. You can always update the expiration time later on.
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)2y

  1. Now it asks you if it’s correct. Notice that the default is No. So press y then Enter to confirm it is correct.
Key expires at Sun 21 Jun 2020 12:29:24 AM UTC
Is this correct? (y/N)y

  1. And now we need to provide some user identification information for the key. This is important because this information will be included in our key. It’s one way of indicating who is owner of this key. The email address is a unique identifier for a person. You can leave Comment blank.
GnuPG needs to construct a user ID to identify your key.
Real name: Admin
Email address:

  1. Select Okay.
You selected this USER-ID:
"Admin <>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

  1. Now it asks you to enter a passphrase to protect your private key. Enter a good and long passphrase and remember it. Because if you forget this passphrase, you won’t be able to unlock you private key.
  1. Once you enter and confirm your passphrase. GPG will generate your keys.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

It will take a while (about 4-5 minutes) for GPG to generate your keys.

gpg: key 4F0BDACC marked as ultimately trusted
gpg: directory '/home/matrix/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/matrix/.gnupg/openpgp-revocs.d/F0461D8F7F64F70A5BBED42E02C87F194F0BDACC.rev'
public and secret key created and signed.

gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: PGP
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2018-01-31
pub rsa2048/4F0BDACC 2016-02-01 [S] [expires: 2018-01-31]
Key fingerprint = F046 1D8F 7F64 F70A 5BBE D42E 02C8 7F19 4F0B DACC
uid [ultimate] Admin <>
sub rsa2048/E02A4EED 2016-02-01 [] [expires: 2018-01-31]

This first line tells us that GPG created a unique identifier for public key. This unique identifier is in hex format. When someone wants to download your public key, they can refer to your public key via your email address or this hex value.

The third line tells us that GPG created a revocation certificate and its directory. You should never share your private key with anyone. If your private key is compromised, you can use revocation certificate to revoke your key. That means you tell the rest of the world that the old public key is not to be used anymore. It is suggested to open this revocation certificate with your text editor to see what’s there.

Let’s look at the last three lines. They tell us the public key is 2048 bits using RSA algorithm. The public key ID 4F0BDACC matches the last 8 bits of the key's fingerprint. The key's fingerprint is a hash of your public key.

It also lists your user ID information: your name and your email address. It also indicates the subkey which is 2048 bits using the RSA algorithm and the unique identifier of the subkey.

Now you can find that there are two files created under ~/.gnupg/private-keys-v1.d/ directory. These two files are binary files with .key extension.

Export Your Private Key

Issue the following commands to export your private key.

  1. The exported private key is in ASCII format
gpg --armor --export-secret-keys

The private key will start with


and end with


  1. The exported key is written to privkey.asc file.
gpg --export-secret-keys --armor > privkey.asc

Export Your Public Key

Others need your public key to send encrypted message to you and only your private key can decrypt it. Use the following command to export your public key. --armor option means that the output is ASCII armored. The default is to create the binary OpenPGP format. user-id is your email address.

  1. The exported public key is in ASCII format
gpg --armor --export-secret-keys

The public key will start with


and end with


  1. The exported public key is written to pubkey.asc file.
gpg --armor --export > pubkey.asc

How did we do?

Powered by HelpDocs (opens in a new tab)

Powered by HelpDocs (opens in a new tab)