With Gnoppix 26 we’ve deployed Post-Quantum Cryptography (PQC) with GnuPG! Gnoppix supports the Kyber algorithm for public-key encryption, you can follow these steps to generate a new key pair that uses it (As an alternative to our Gnoppix KeygenGUI)
Remeber GPG v2.6 is needed
Step-by-Step Kyber Key Generation
The process uses the standard GnuPG key generation command, but you’ll specify the Kyber algorithm.
1. Start the Key Generation Process
Execute the following command in your terminal:
gpg --full-generate-key
2. Choose the Key Type
GnuPG will ask you to select the kind of key you want. You must select the option for “Elliptic Curve/Kyber” key.
Please select what kind of key you want:
- RSA and RSA (default)
- DSA and ElGamal
- DSA (sign only)
- Elliptic Curve/Kyber
- Elliptic Curve (sign only)
- ECC and Kyber
Your selection? 16
3. Choose the Curve and PQC Algorithm
You’ll be prompted to choose the elliptic curve for the signing subkey (which remains standard) and the specific Kyber algorithm for the encryption subkey. The available Kyber algorithms are usually prefixed with the security level (e.g., Kyber-512, Kyber-768, Kyber-1024). Kyber-768 is generally recommended for equivalent security to AES-128/SHA-256 against classical and quantum attackers.
Please select the Kyber variant you want::
Please select the Kyber variant you want:
(1) Kyber 768 default
(2) Kyber 1024
(3) Kyber 768 (X25519)
(4) Kyber 1024 (X448)
Your selection? 4 (Or your preferred security level)
4. Set the Key Expiration Date
You must specify how long the key should be valid. For better security and practice, keys should have an expiration date.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n yearsKey is valid for? 10y (Example: one year)
Is this correct (y/N)? y
5. Enter User ID Information
You will be asked to provide identifying information that will be attached to your public key.
- Real name: Enter your full name or pseudonym.
- Email address: Enter your primary email address.
- Comment: (Optional) Add a comment, e.g., “PQC Kyber Key.”
After reviewing the details, confirm the entry.
6. Set a Passphrase (Crucial Step!)
GnuPG will ask you to set a strong passphrase to protect your private key. This is vital. Without the passphrase, anyone who gets your private key file can impersonate you.
Use a strong, unique passphrase.
7. Generate Randomness
GnuPG will require a good amount of randomness (entropy) to generate the cryptographic material. You’ll see a message prompting you to perform some random actions on your computer (like typing, moving the mouse, disk activity) to speed up this process.
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
8. Key Generation Complete
Once the generation is finished, GnuPG will confirm the key was successfully created and display its details:
gpg: key XXXXXXXXXXXXXX marked as ultimately trusted
gpg: directory '/home/gnoppix/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/gnoppix/.gnupg/openpgp-revocs.d/XXXXXXXXXXXXXXXX.rev'
public and secret key created and signed.
pub ed25519/XXXXXXXXXXXXXX 2025-12-06 [SC] [expires: 2026-12-06]
Key fingerprint: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
uid Your Name (PQC Kyber Key) <your.email@gnoppix.me>
sub **ky1024_cv448**/XXXXXXXXXXXXXXXX 2025-12-06 [E] [expires: 2026-12-06]
Note the sub line showing the Kyber algorithm used for the encryption subkey.
Verifying Your New Key
You can verify that the key pair was correctly created and uses the Kyber algorithm by listing your keys:
gpg --list-keys
Look for the kyberXXX algorithm listed next to the encryption subkey (sub).
Great! Let’s cover how to export your public key so others can use it to encrypt messages to you, and then how to encrypt a file using a recipient’s public key (like the one you just generated).
9. Exporting Your Post-Quantum Public Key
You need to share your public key with anyone who wants to send you an encrypted message. This key includes the new Kyber encryption subkey.
A. List Your Key ID
First, find the Key ID (the long string of characters) or the User ID (your name/email) associated with your new key.
Bash
gpg --list-secret-keys
You will see output similar to this (the key ID is XXXXXXXXXXXXXX):
sec ed25519/XXXXXXXXXXXXXX 2025-12-06 [SC]
uid Your Name (PQC Kyber Key) <your.email@gnoppix.me>
ssb kyber1024_cv448 YYYYYYYYYYYYYYY 2025-12-06 [E]
B. Export the Key
Use your Key ID or User ID to export the public key in a standard text format (ASCII armored).
Bash
gpg --armor --export ’ Your Name (PQC Kyber Key) <your.email@gnoppix.me>’ > my_pqc_key.asc
--armor: Ensures the output is plain text (ASCII-armored) instead of binary.
--export: Command to export the public key.
'Your Name': Replace this with your name, email, or Key ID.
> my_pqc_key.asc: Directs the output to a file named my_pqc_key.asc.
You can now send this my_pqc_key.asc file to your contacts.
10. Encrypting a File
To encrypt a file for someone (whether they use a standard RSA key or a PQC Kyber key), you must first import their public key into your own GnuPG keyring.
A. Import the Recipient’s Public Key
If a friend sends you their public key file (friend_pqc_key.asc), import it:
Bash
gpg --import friend_pqc_key.asc
B. Encrypt the File
Use the --encrypt and --recipient (-r) flags. You must specify the User ID (name or email) of the person whose public key you imported.
Bash
gpg --encrypt --recipient ‘Friend’ secret_message.txt
--encrypt: Tells GnuPG to encrypt the file.
--recipient 'Friend': Specifies the recipient using their name or email (as listed on their key).
secret_message.txt: The name of the file you want to encrypt.