Chapter 2. Creating Your First Keypair
Table of Contents
By "confidentiality" we mean that only the people you want to read a message will be able to read a message. By "assurance" we mean that people who read messages from you can be sure that it really came from you.
We're not going to explain all the mathematics that's involved. You don't need to have a Ph.D. in computer science to use Enigmail. All you need to understand is that you will be creating a public key and a private key. The public key can be shared with the whole world--friends, neighbors, relatives, enemies, even intelligence agencies. But you need to guard the private key very, very carefully.
By this time, you should have Thunderbird, Enigmail and GnuPG all installed. If you don't, go back and do those sections now.
You will need a piece of paper and something to write with.
Start Thunderbird. Due to the incredible number of different operating systems Thunderbird runs on, we're not going to try to tell you how to do this. If you need help finding Thunderbird, the Thunderbird site has excellent documentation.
Check your accounts. If you don't have any email accounts set up yet, do that now. Again, see the Thunderbird site if you need help.
Start the Enigmail Key Manager. Click on "OpenPGP" in the menu bar of the Thunderbird main window. Select "Key Management".
Start the New Key Wizard. When the Enigmail Key Manager opens, click on "Generate" in the menu bar and select "New key pair".
A new window will pop up. Take a deep breath: you are not expected to understand everything here. In fact, there are only a couple of things you need to worry about!
Tell Enigmail which account to use. At the very top of the window you will see a combobox showing all of your email addresses. GnuPG will associate your new key with an email address. Enigmail is just asking you which address you want to use for this key. Select whichever account will be receiving encrypted mail.
(If you decide later that you want to use the same key for multiple accounts, that can be done, too, but it's beyond the scope of this Quick Start Document.)
Choose a passphrase. Private keys are so important that GnuPG will not use them unless you know the secret phrase. You're being asked here what the secret phrase should be for your new keypair. If at all possible, choose something that is easy to remember but very hard for someone to guess.
Enter your passphrase in the "Passphrase" box. Then repeat it again in the "Passphrase (repeat)" box. By entering it twice, Enigmail is protecting you from accidentally mis-entering your passphrase.
As a security feature, Enigmail will not display your passphrase as you type it.
If you forget your passphrase, there is absolutely nothing anyone can do to help you. This is a security feature of GnuPG. There is no way around the passphrase.
Click "Generate Key". That's it! That's all you have to do. Everything else is handled for you automatically.
Generate a revocation certificate. Hard drive failures happen to us all. So do house fires and theft and other things that might separate us from our keys. When this happens, it's a good idea to send out a revocation notice. You can think of this as a message from your key saying "please don't use me any more".
Using the magic of assurance, people who see your revocation certificate can be confident that your key really is no more. Having a revocation certificate tucked away in a safe place is a very good idea.
When you finish creating your new key, Enigmail will give you the chance to create a revocation certificate. If you want one, click "Yes". You will be asked to enter your passphrase. Enter it, and you'll be finished.
Now that you have your key, you should find your key ID. This is a sequence of letters and numbers eight long which is used to unambiguously identify your key.
Go back to the Enigmail Key Manager and enter your email address in the search box. The key you just created should appear, and over at the right you'll see your key ID. Write this down; you'll need it.
By far, the easiest way to share your key with the world is to publish it on the public keyserver network, a global database of keys (please note that once a key was uploaded to a keyserver, there is no way to delete it from there!). In order to publish your key, click on your key in the Key Manager. Then click "Keyserver" and select "Upload public keys".
Enigmail will ask where it should send your key. Generally speaking,
pool.sks-keyservers.net is your best bet. That's the one Enigmail uses by default, so just click "OK".
Your key is now published on the internet for anyone to find!
Some people will tell you never to use a keyserver at all, because spammers search them for email addresses. While this is true, this kind of misses the point.
There is nothing you can do to prevent spam from littering your inbox. Trying to stop it is like King Canute marching into the sea, commanding the rising tide to turn back. It didn't work for King Canute and it won't work for you.
There are excellent ways to stop spam. Blacklists, whitelists, Bayesian filtering, ISP-level solutions and more. Some of those options work better than others. All of them work better than the naive "if I don't publish my key on the keyservers, then I won't get spammed" strategy.
 In reality your fingerprint is forty long, but using the last eight is customary. You'd need to have over 65,000 keys before you'd have a good chance of two keys sharing the same shortened ID.