# Generating & exporting a PGP key

In this chapter we will show you step by step how to create a PGP key. This key type is used for

- encrypting the document containing your  credentials for the Investment API
- encrypting files that are made available to you via the Investment API.


Please be aware that a separate PGP key pair is required for each of the use cases mentioned.

## Prerequisites

- Before you start, contact your IT Security team to comply with **your company's key management policies**.
- A prerequisite for generating the PGP key is that you have already downloaded and installed the [GPG command line tools](https://www.gnupg.org/download/) for your operating system.


## 1. Creating a key pair

Note that it is mandatory to encrypt the key.

Open the terminal app.

Generate a key by running `gpg --full-generate-key`.

During key generation, you can define the following specifications according to your requirements:

**Example RSA key generation**

Type of encryption

```
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(14) Existing key from card
```

We recommend RSA/RSA.

Key size

```
  RSA keys may be between 1024 and 4096 bits long.
  What keysize do you want? (3072) 4096
```

We recommend key size of 4096 bits to ensure the highest possible security.

Expiration date for the key

```
        Please specify how long the key should be valid.
         0 = key does not expire
        <n>  = key expires in n days
        <n>w = key expires in n weeks
        <n>m = key expires in n months
        <n>y = key expires in n years
```

We recommend no expiration time (press `Enter` during the prompt).

Finally, confirm your settings with `Y`.

Specify your real name and email address that will be associated with this key.

Optionally, you can enter a comment.

We recommend specifying the purpose for which you are creating the key here. For example,

- `Upvest Investment API credentials issuance` or
- `Upvest Investment API file download`


You need separate PGP keys for these two use cases in order to be able to work with the Investment API.

To complete the key generation, press `O`.

You are prompted to enter a passphrase to protect your new key.

## 2. List your keys

You can use the following command to list your generated keys:


```
gpg --list-keys
```

## 3. Export & share your public key

After you have successfully created your PGP key pair, you must export it and provide us with the public key.

This command allows you to export the public PGP key using your **Key ID**:

**Example**


```
gpg --export --armor --output jane_doe_pgp.public_key.asc ABCD1234EF567890
```

Replace the ID-specific information in the example (e.g., ABCD1234EF567890) with your own **Key ID**.

To help find your **Key ID**, you can use the following command to list all available keys:


```
gpg --list-keys
```

Submit your PGP public key that looks like this to Upvest:


```
-----BEGIN PGP PUBLIC KEY BLOCK----- 
[PGP key] 
-----END PGP PUBLIC KEY BLOCK-----
```

## 4. Export your private key

Export your PGP private key to a file so that you can securely back it up.

Use the following command to export your private key:

**Example**


```
gpg --export-secret-keys --armor --output [jane_doe]_pgp.private_key.asc [jane.doe@example.com]
```

Back up your private key and make sure that you also save your passphrase.

For security reasons, we recommend that you save the passphrase separately.