Public and Private Keys – CompTIA Security+ SY0-401: 6.3

For asymmetric encryption, you’ll need the public and private key pair for successful encryption and decryption. In this video, I’ll demonstrate the creation of a public and private key pair.

<< Previous Video: Key RecoveryNext: Key Registration >>


The implementation of your public and private key creation is something that’s usually part of a formal process, especially if you have a formal certificate authority set up. It’s integrated into the security policy. You know exactly how to request. You know the process that goes on to get registered and have that key and the certificate provided back to you. It may be something that is very, very structured. And you need a lot of documentation, and you need to show up in person.

And it has to be linked to your ID that you would use, or it might be more relaxed. It might be something like PGP, or open PGP where you are outside of an organization, and maybe you’re building out a certificate just for your own use. Let’s build out a PGP secret key and public key so that you can see what the process is to go through. There is a front end to the open PGP standard, called GPG.

It stands for GNU privacy guard. And you can download GPG for a Mac OS 10 that I’m running here. You can run it on Windows, you could run it on Linux. There are command line options to run there as well. So you can really have that capability on many different operating systems. And what I’d like to do on my GPG is build out a brand new public and private key pair so you can see the process I went through when I first created the key pair that I have here.

So I’m going to go up to the menu that you can’t see on the screen to the key pulldown menu, and choose to generate a new key. And the options I have available are to create a key type that is RSA and RSA. That looks good to me. Let’s specify a particular link. Let’s call this one a 4,096 byte key, a big long one. This key will not expire. And I’m going to put in a different email address in here that’s something that is a test at professormesser.com.

And I could even put in my comment here that this is a test key, do not use. I plan on the deleting this when we’re done. But if this key happened to be posted to the public key server, people would see that comment and realize, this was not a key that would be normally in use. I choose generate key, and one of the messages that comes up is that there needs to be a lot of randomization here.

That’s because the random number generators that are in computers are really only pseudo random. There’s a way to predict certain things that those random number generators might do. So it’s saying, move your mouse around. Have some keyboard access, do things that would create something that’s a little more random than what we would find in the chips. We also need to enter a passphrase. And that’s because this private key that we’re going to create is going to be a very, very important key.

If we have this private key, we can obviously decrypt everything that’s sent to us. So as an extra layer of security, PGP asks for us to be able to enter a passphrase here. So I’m going to put in a passphrase. This one’s not very long. But I’m going to put it in any way. And it says in fact, it says my passphrase should be at least eight characters long. And it tells you, and this should be part of the CA process that you would set up, it tells you that this is not secure at all.

Do you really want to take this one anyway? Yes, I would. And it’s going to ask me again to input that exact same passphrase so that we know we’ve got the right one there. At this point, we’re going to continue to generate this information. It’s building out the keys for us. And eventually, it’s going to create that and put it into our key ring. After moving my mouse around and creating a lot of randomization, finally we got all the information we needed to create this brand new key that has my test account associated with it.

And you could see, it’s created a 4096 byte key. That is an RSA key. It has a short ID, a very specific ID number. And there’s the fingerprint of the key. Now, behind the scenes of course, this private key is on my hard drive. And if I wanted to, I could export that key and have a look at it right on the screen. Let’s do that. In my GPG program, I have the option to export that particular key pair. And I can specify to not only export the public key, which is something that I might want to provide to everyone, but I can also export the private key so you could see how that looks on the screen.

Now, you’ll see the public key is this bunch of text. This is the key itself. I could even copy and paste this entire begin PGP public key block all the way to the end, and put it online for people to download. And they could drag it, and drop it into their key ring as well. I’m going to move down just a little bit in here so you could see. I’m going to keep going. These are big, 4096-bit keys as we go through. And at the bottom of this list, you’re going to see, there’s also the end of the public key block.

And I also specified for this to output, the private key block. Now, obviously you would not do this normally unless you were planning to take that private key and put it somewhere safe. You don’t want to share this with anyone. They might be able to figure out your pass phrase, and then be able to use this. But notice that the private key, very similar to the public key in the way that it’s structured.

It’s again, just a lot of text that you could drag and drop into one of these key rings. That means that this information is very easy to move between systems. It’s just a bunch of ASCII text. But both the private and the public key, of course, are mathematically linked. So we know that we can take anything that is sent to us that has been encrypted with that public key, and decrypt it with the private key that we’ve created at the same time.