How to set up encrypted email with PGP/GPG and integrate it into your mail client
Encrypted email with PGP/GPG protects your messages from prying eyes and gives you control of your keys. This guide walks you through generating keys, sharing public keys, configuring a mail client, and testing secure sending and receiving. Plan about 30–60 minutes to complete initial setup and a few minutes for routine use thereafter.
Step 1: Install GPG software
Install a GPG implementation on your device: use GnuPG v2.x on Linux, GPG Suite on macOS, or Gpg4win on Windows. Verify installation by running gpg --version in a terminal or command prompt; expect version 2.x and a working pinentry program. Installing ensures you have the core tools to create and manage cryptographic keys locally.
[Illustration: computer terminal showing gpg --version output and installation progress window]
Step 2: Generate your key pair
Create a new RSA 3072 or 4096-bit key pair with gpg --full-generate-key and choose good defaults: RSA and RSA, key size 4096, expiration 1 year (adjustable), and a real name plus your email. Use a strong passphrase of 12–20 characters and store it in your password manager; this protects your private key if your device is compromised.
[Illustration: dialogue box for key generation showing name, email, key size options and passphrase fields]
Step 3: Backup and export keys
Export your public key with gpg --armor --export you@example.com > mypubkey.asc and export the private key to a secure offline medium with gpg --armor --export-secret-keys you@example.com > myprivate.asc. Make two backups of the private file on encrypted USB drives or an encrypted cloud vault and note the creation date and revocation plan.
[Illustration: USB drive labeled encrypted with exported key files on desktop and timestamped note]
Step 4: Create a revocation certificate
Generate a revocation certificate immediately with gpg --output revoke.asc --gen-revoke you@example.com and store it offline and in a safe physical location. A revocation certificate lets you invalidate your key if it is lost or compromised, preventing others from trusting a stolen key after the fact.
[Illustration: paper printout labeled revocation certificate stored in a safe]
Step 5: Publish and share your public key
Upload your public key to a keyserver (for example with gpg --keyserver hkps://keys.openpgp.org --send-keys KEYID) and/or share mypubkey.asc directly with contacts. Publishing helps people find your key; sharing directly helps initial contacts verify fingerprints by voice or another channel (compare 40-hex fingerprint).
[Illustration: browser window showing a keyserver upload confirmation and an email attachment with a public key file]
Step 6: Integrate with your mail client
Install a mail client plugin or built-in support: Enigmail or Mailvelope for webmail, Thunderbird with OpenPGP enabled, or configuring GPG with Outlook using a compatible plugin. Point the mail client to your GPG binary and private key; set it to sign by default and encrypt when recipients’ public keys are available. Test configuration with a small signed-only message first to confirm the signature shows as valid.
[Illustration: email client settings panel showing OpenPGP configuration and path to gpg executable]
Step 7: Test end-to-end with contacts
Send a signed email to a willing contact and ask them to reply encrypted using your published public key; verify the incoming encrypted mail decrypts automatically and the signature verifies. Confirm key fingerprints verbally or via a second channel for first-time contacts and set reminders to rotate or renew keys before expiration (e.g., renew every 12 months).
[Illustration: two users exchanging emails on laptops with a green padlock icon and fingerprint verification dialogue]
- Choose RSA 4096 or ECC curves like Ed25519 if supported for a good balance of security and performance.
- Use an expiration date (e.g., 1 year) to reduce long-term key abuse and plan a rotation schedule now.
- Store private-key backups in at least two separate encrypted locations, such as two encrypted USB drives or one encrypted cloud container plus a USB.
- Use an offline computer to generate and store a long-term master key, then create subkeys for day-to-day signing and encryption.
- Always verify key fingerprints by phone or an in-person meeting for new contacts to prevent man-in-the-middle substitution.
- Automate key renewal reminders in your calendar 30 days before expiration to avoid unexpected communication failures.
- Never share or send your private key over email or unencrypted channels; treat it like cash or a passport.
- Do not choose an empty or very short passphrase for your private key; a weak passphrase nullifies encryption protection.
- Be cautious with keyservers: once uploaded, public key data and associated user IDs may be difficult to remove.
- If you lose your private key and have no backup or revocation published, you will permanently lose the ability to decrypt messages to that key.
Was this guide helpful?
More Computers & Electronics guides
How to set up Git, create a repository, and commit code locally
Setting up Git and committing code locally is a small, reliable skill that pays off immediately. In about 10–20 minutes you can install Git, create a repository, and make your first commits so your work is tracked and easy to manage. Follow these clear steps to get a solid local workflow going.
How to migrate email from one provider to another without losing folders or contacts
Migrating email between providers can feel risky, but with a plan you can preserve folders, labels, and contacts while minimizing downtime. This guide walks you through a careful, step-by-step transfer you can complete in a few hours to a couple days depending on mailbox size. Follow the checklist and you’ll keep structure and address data intact.
How to clean dust and replace a laptop fan to fix overheating and throttling
Overheating and CPU/GPU throttling are often caused by dust buildup or a failing fan. This guide walks you through safely cleaning dust and replacing a laptop fan to restore cooling performance and reduce temperature spikes. Read through all steps, gather basic tools, and work in a well-lit, static-safe area.