Step 2.a Make a keypair
The Enigmail Setup wizard may start automatically. If it doesn't, select
Enigmail → Setup Wizard from your email program's menu. You don't need
to read the text in the window that pops up unless you'd like to, but it's
good to read the text on the later screens of the wizard. Click Next with
the default options selected, except in these instances, which are listed
in the order they appear:
- On the screen titled "Encryption," select "Encrypt all of my messages
by default, because privacy is critical to me."
- On the screen titled "Signing," select "Don't sign my messages by
- On the screen titled "Key Selection," select "I want to create a new
key pair for signing and encrypting my email."
- On the screen titled "Create Key," pick a strong password! You can
do it manually, or you can use the Diceware method. Doing it manually
is faster but not as secure. Using Diceware takes longer and requires
dice, but creates a password that is much harder for attackers to figure
out. To use it, read the section "Make a secure passphrase with Diceware" in
this article by Micah Lee.
If you'd like to pick a password manually, come up with something
you can remember which is at least twelve characters long, and includes
at least one lower case and upper case letter and at least one number or
punctuation symbol. Never pick a password you've used elsewhere. Don't use
any recognizable patterns, such as birthdays, telephone numbers, pets' names,
song lyrics, quotes from books, and so on.
The program will take a little while to finish the next
step, the "Key Creation" screen. While you wait, do something else with your
computer, like watching a movie or browsing the Web. The more you use the
computer at this point, the faster the key creation will go.
When the "Key Generation Completed" screen
pops up, select Generate Certificate and choose to save it in a safe place on
your computer (we recommend making a folder called "Revocation Certificate"
in your home folder and keeping it there). This step is essential for your
email self-defense, as you'll learn more about in Section
- I can't find the Enigmail menu.
- In many new email programs, the main menu is represented by an image
of three stacked horizontal bars. Enigmail may be inside a section called
- More resources
- If you're having trouble with our
instructions or just want to learn more, check out
Enigmail's wiki instructions for key generation.
- Don't see a solution to your problem?
- Please let us know on the feedback
- Command line key generation
- If you prefer using the command line for a higher
degree of control, you can follow the documentation from The GNU Privacy
Handbook. Make sure you stick with "RSA and RSA" (the default),
because it's newer and more secure than the algorithms the documentation
recommends. Also make sure your key is at least 2048 bits, or 4096 if you
want to be extra secure.
- Advanced key pairs
- When GnuPG creates a new keypair, it compartmentalizes
the encryption function from the signing function through subkeys. If you use
subkeys carefully, you can keep your GnuPG identity much more
secure and recover from a compromised key much more quickly. Alex Cabal
and the Debian wiki
provide good guides for setting up a secure subkey configuration.