Guide to Public & Private Keys

Cover Image for Guide to Public & Private Keys
CRUSVEDER

10 min read

The Complete Guide to Public and Private Keys for Secure Communication

In today’s interconnected world, digital privacy is no longer optional—it’s essential. Every time you send an email, transfer a file, or log in to a website, your data travels across servers, routers, and networks you don’t control. Without protection, it’s like sending your most private messages on a postcard—anyone handling it could read or alter its contents.

To secure this information, we rely on cryptography, the science of making data unreadable to unauthorized parties. One of the most powerful and widely used methods in cryptography is public and private key cryptography, also called asymmetric encryption.

This long-form guide will walk you through:

  • Why symmetric encryption wasn’t enough

  • How public/private keys solve this problem

  • Step-by-step process of generating your own keys

  • Using them to encrypt, decrypt, sign, and verify messages

  • Best practices for key management

  • Real-world use cases that impact your daily digital life

By the end, you’ll understand not just the theory but also the practical steps to start using this technology yourself.

Why Do We Need Public and Private Keys?

The earliest form of secure communication online used symmetric encryption. With symmetric systems:

  • Both sender and receiver share the same secret key.

  • Sender encrypts with this key, receiver decrypts with the same key.

This works fine in a small, controlled environment, but it suffers from the key distribution problem. How do you share this secret key securely in the first place? If someone intercepts it during transmission, they can read all your future communications.

Here’s a simple diagram:

   [Alice] ---(Encrypt with Shared Key)---> [Message] ---(Decrypt with Shared Key)---> [Bob]
                                 |
                              [Attacker]
                                 |
                           (If key is stolen,
                           message is exposed)

This flaw makes symmetric encryption impractical at scale.

The breakthrough: Asymmetric encryption (public/private keys). Instead of a single shared key, it uses two mathematically related keys:

  • Public Key → freely shared with anyone.

  • Private Key → kept secret by the owner.

Now, if someone wants to send Bob a secure message, they encrypt it with Bob’s public key. Only Bob’s private key can unlock it. Even if attackers capture the encrypted message, they can’t read it without the private key.

How Public and Private Keys Work

The public/private key system does more than just protect messages. It also ensures authenticity (knowing who sent the message) and integrity (ensuring the message wasn’t altered). Let’s explore the main processes.

Encryption & Decryption

   [Alice] ---(Encrypt with Bob's Public Key)---> [Encrypted Message] ---> [Bob]
                                                              |
                                                (Decrypt with Bob's Private Key)

  • Alice encrypts the message using Bob’s public key.

  • Only Bob’s private key can decrypt it.

  • Result: confidentiality.

Digital Signatures

   [Alice] ---(Sign with Private Key)---> [Signed Message] ---> [Bob]
                                                          |
                                            (Verify with Alice's Public Key)

  • Alice signs her message using her private key.

  • Bob verifies it using Alice’s public key.

  • Result: authenticity and integrity. If even one character changes, verification fails.

Hybrid Encryption (Best of Both Worlds)

Public/private key operations are secure but computationally heavy. Encrypting large files with them would be inefficient. Instead, hybrid encryption is used in real-world systems.

   Step 1: Generate random Session Key
   Step 2: Encrypt Message with Session Key (Fast - Symmetric)
   Step 3: Encrypt Session Key with Recipient's Public Key
   Step 4: Send (Encrypted Message + Encrypted Session Key) ---> [Bob]

   [Bob]:
   - Decrypt Session Key with Private Key
   - Use Session Key to Decrypt Message

This combines:

  • Speed of symmetric encryption

  • Security of asymmetric encryption

Protocols like PGP (Pretty Good Privacy) and TLS (the “lock” in HTTPS websites) use this exact method.

Step-by-Step: Generating Key Pairs with GnuPG

To use public/private keys in practice, you’ll need a tool. The most popular one is GnuPG (GPG), a free, open-source implementation of the OpenPGP standard.

1. Install GnuPG

  • Windows: Download Gpg4win

  • Linux (Ubuntu/Debian):

    sudo apt install gnupg

  • macOS (Homebrew):

    brew install gnupg

2. Generate a Key Pair

Run in terminal:

gpg --full-generate-key

You’ll be prompted step by step:

  1. Key type → Choose RSA and RSA (default)

  2. Key size → Select 3072 or 4096 bits (more secure, but slower)

  3. Expiration date → Set a duration (e.g., 1 year) or 0 (no expiry)

  4. User ID → Enter your name and email (links the key to your identity)

  5. Passphrase → Protects your private key from misuse

After this, GPG generates your key pair.

3. List Keys

gpg --list-keys

Displays your generated key ID, fingerprint, and user details.

4. Export Keys

  • Public key (to share):

    gpg --export -a your_key_id > mypublickey.asc

  • Private key (backup only, keep secret):

    gpg --export-secret-key -a your_key_id > myprivatekey.asc

5. Import Keys

If someone shares their public key:

gpg --import theirpublickey.asc

6. GPG Workflow

   [You] ---(Generate Key Pair)---> [Public Key + Private Key]

   Share ---> [Public Key] ----> (Anyone can encrypt for you)
   Keep ----> [Private Key] ----> (Only you can decrypt)

   Encryption:   Sender uses YOUR Public Key
   Decryption:   YOU use YOUR Private Key
   Signature:    YOU sign with Private Key
   Verification: Others check with YOUR Public Key

Practical Usage

Encrypt a File

gpg -e -r recipient_email file.txt

Creates file.txt.gpg, only readable by the recipient.

Decrypt a File

gpg -d file.txt.gpg

Sign a File

gpg --sign file.txt

Verify a Signature

gpg --verify file.txt.sig

Best Practices for Secure Key Management

  1. Keep your private key private. Never share it.

  2. Use strong passphrases. Aim for long, random combinations.

  3. Backup your keys. Use encrypted drives or trusted password managers.

  4. Generate a revocation certificate. Essential if your private key is lost or stolen.

  5. Rotate keys periodically. Don’t rely on one forever.

  6. Verify fingerprints. Always confirm a public key’s fingerprint before trusting it.

  7. Separate keys by purpose. Example: one for email, another for software signing.

Real-World Applications

  • Email Security → Journalists use PGP to protect sources.

  • File Encryption → Businesses encrypt backups before cloud upload.

  • Software Distribution → Developers sign software updates.

  • SSH Authentication → Servers use keys instead of weak passwords.

  • Blockchain → Cryptocurrency wallets depend on public/private keys.

  • SSL/TLS Certificates → Secure websites (HTTPS) rely on key pairs.

Conclusion

Public and private key cryptography is the foundation of modern internet security. It solves the distribution problem of symmetric encryption and enables powerful features like digital signatures and hybrid encryption.

With tools like GnuPG, you don’t need to be a cryptographer to take control of your digital privacy. By generating, using, and protecting your own keys, you can:

  • Ensure your communications stay private

  • Verify the authenticity of messages and files

  • Protect yourself against eavesdropping and tampering

Whether you’re an individual securing emails or an organization protecting critical data, public/private keys are the invisible shield guarding your digital world.

Common Mistakes and Troubleshooting in Public/Private Key Cryptography

Even with the right tools, beginners (and sometimes even experienced users) often run into issues when using public/private keys. Below is a practical troubleshooting guide to help you avoid pitfalls and solve common problems.

Mistake 1: Forgetting the Private Key Passphrase

  • Symptom: You generated a key pair but forgot the passphrase protecting your private key.
  • Problem: Without the passphrase, you cannot use the private key to decrypt or sign.
  • Solution:
    • Unfortunately, there’s no way to recover a lost passphrase.
    • Always generate a revocation certificate after creating a key, so you can revoke it if this happens.
    • Store passphrases securely in a trusted password manager.

Mistake 2: Sharing the Wrong Key

  • Symptom: Someone says they can’t decrypt your messages, or you can’t verify their signature.
  • Problem: You may have shared your private key by accident or tried to use someone’s public key incorrectly.
  • Solution:
    • Never share your private key. Only share your public key.
    • Check which key you exported: gpg --list-keys gpg --list-secret-keys
    • Re-export the correct public key with: gpg --export -a your_key_id > mypublickey.asc

Mistake 3: Using Expired Keys

  • Symptom: GPG refuses to encrypt or sign because your key is expired.
  • Problem: Keys are often set to expire as a security precaution.
  • Solution:
    • Extend your key’s expiration date:
      gpg --edit-key your_key_id gpg> expire gpg> save
    • Re-distribute your updated public key.

Mistake 4: Encrypting with the Wrong Key

  • Symptom: You can’t decrypt a file someone sent you.
  • Problem: They may have encrypted it with their own public key instead of yours.
  • Solution:
    • Double-check the recipient email/ID used when encrypting:
      gpg -e -r recipient_email file.txt
    • Verify you both have the correct keys imported.

Mistake 5: Trust Level Not Set

  • Symptom: You see warnings like “There is no indication that this key belongs to the named user.”
  • Problem: GPG doesn’t trust the key by default.
  • Solution:
    • Set the trust level manually:
      gpg --edit-key key_id gpg> trust gpg> save

Mistake 6: Keyring Confusion

  • Symptom: You have multiple keys for the same person and aren’t sure which is valid.
  • Problem: Old, revoked, or duplicate keys may clutter your keyring.
  • Solution:
    • List keys and fingerprints:
      gpg --list-keys
    • Delete outdated ones:
      gpg --delete-key key_id

Mistake 7: Lost Private Key

  • Symptom: You no longer have the private key file but still receive encrypted messages.
  • Problem: Without the private key, decryption is impossible.
  • Solution:
    • Use your revocation certificate to tell others your old key is invalid.
    • Generate a new key pair and distribute the new public key.

Mistake 8: Signature Verification Fails

  • Symptom: You receive an error saying “BAD signature” when verifying a file.
  • Problem: Either the file was tampered with, or you’re missing the correct public key.
  • Solution:
    • Verify you have the sender’s correct public key.
    • Check the file’s integrity by downloading again.
    • If the error persists, assume tampering.

Mistake 9: Not Verifying Fingerprints

  • Symptom: You trust a public key that looks real but could be fake.
  • Problem: Attackers can impersonate someone by creating a fake key with the same name/email.
  • Solution:
    • Always verify the fingerprint of a public key over a secure channel (phone call, in-person, etc.).
      gpg --fingerprint key_id

Mistake 10: Ignoring Backups

  • Symptom: You reinstall your system and lose all keys.
  • Problem: Without backups, your encrypted data is permanently inaccessible.
  • Solution:
    • Export and securely back up both public and private keys.
    • Store in encrypted USB drives or password managers.