GPG Key Fingerprint Generator

Generate full 40‑character hex fingerprint and Key ID from any GnuPG public key. 100% client‑side, no server upload. In‑depth GnuPG fingerprint guide included.

? RSA 4096 ⚡ Ed25519 ? ECDSA/ECDH
Full Fingerprint (40 hex)
A1B2 C3D4 E5F6 7890 1234 5678 90AB CDEF 1234 5678
Long Key ID (16 hex)
90AB CDEF 1234 5678
Short Key ID (last 8 hex)
1234 5678
GPG fingerprints are derived from the primary public key packet, following the OpenPGP standard. This tool uses the same method as GnuPG.
Key type RSA
Key size / curve 4096
Creation time 2024-01-01

Understanding GPG / GnuPG Fingerprints

A GPG fingerprint is a cryptographic hash (SHA‑1 for v4 keys, SHA‑256 for v5 keys) that uniquely identifies a GnuPG public key. It is the most reliable way to verify that a key belongs to a specific person or entity, much more reliable than a Key ID.

Why fingerprints matter
  • Trust establishment: Before using someone‘s public key, you should verify its fingerprint over an authenticated channel (in person, via secure web page, or from a trusted key server).
  • Preventing impersonation: Key IDs (especially 32‑bit short IDs) can be forged – collisions have been demonstrated. The full 40‑character fingerprint (160 bits for v4) provides a much higher level of uniqueness .
  • Web of Trust: When you sign someone’s key with GPG, you are attesting that the fingerprint and the associated identity belong to the same person.

How a GPG Fingerprint Is Computed

GPG follows the OpenPGP standard (RFC 4880). For a version 4 (v4) key (most common today):

  • The primary public key packet (tag 6) is taken in its binary form.
  • The packet length and tag are removed, but the key material itself (including algorithm‑specific parameters like RSA modulus and exponent, or EC point) remains.
  • A 0x99 prefix byte and a two‑byte length are prepended.
  • The SHA‑1 hash of the resulting data is calculated, producing a 20‑byte (40 hex characters) fingerprint .

For version 5 (v5) keys (introduced in RFC 4880bis, using SHA‑256), the process is similar, but the prefix changes to 0x9A, and the hash is 32 bytes (64 hex characters). Currently, v5 keys are rare; most keys are v4.

The GnuPG source code (g10/keyid.c) implements these algorithms exactly . This tool uses the same underlying method via OpenPGP.js, ensuring compatibility.

Key ID vs. Fingerprint

  • Fingerprint: Full hash (40 hex chars). Uniquely identifies a key.
  • Long Key ID: Last 16 hex characters of the fingerprint (e.g., 90AB CDEF 1234 5678). Often used in key listings.
  • Short Key ID: Last 8 hex characters. ⚠️ Vulnerable to collisions – two different keys can have the same short ID. Do not rely on it for verification .

GPG Key Algorithms Comparison

Algorithm Key size / curve Security Performance GnuPG support
RSA 2048‑4096 bits High (2048 bits ~112‑bit security, 4096 ~128‑bit) Slower (especially signing) All versions
Ed25519 256 bits Very high (∼128‑bit security, side‑channel resistant) Very fast GnuPG 2.1+
ECDSA / ECDH NIST P‑256, P‑384, P‑521 High Fast Widely supported
DSA 1024‑3072 bits Legacy (≤1024 deprecated) Slow Discouraged

Recommendation: For new keys, use Ed25519 (signing) + Curve25519 (encryption) – modern, fast, and secure . RSA 4096 is still a safe choice for broad compatibility.

Practical Fingerprint Verification with GPG

  • Command line: gpg --fingerprint [email protected] displays the fingerprint.
  • From a key file: gpg --import --import-options show-only --fingerprint public.key
  • Key servers: Upload your key and let others fetch it; they should verify the fingerprint via another channel.
  • QR codes / business cards: Some tools generate printable cards with fingerprint QR codes .
  • Web of Trust: After verifying a key in person, sign it with your key to publicly vouch for the association.

Best Practices for GPG Key Management

  • Generate keys locally – never use an online generator for production keys. This tool is for fingerprint inspection only .
  • Set an expiration date (1‑2 years). You can always extend it before expiry .
  • Create a revocation certificate immediately and store it offline (USB drive, printed copy).
  • Protect your private key with a strong passphrase. The private key is encrypted at rest.
  • Use separate subkeys for daily encryption/signing. Keep the master key offline.
  • Regularly audit your keyring with gpg --list-keys and gpg --fingerprint.

Security Considerations

OpenPGP fingerprints are resistant to preimage attacks – given a fingerprint, it‘s infeasible to create a key that hashes to that value. However, collision attacks on SHA‑1 (the hash used for v4 fingerprints) are theoretically possible but require massive computational resources. For extremely high‑security environments, consider moving to v5 keys (SHA‑256). Most users can rely on v4 fingerprints with confidence .

Example: Fingerprint in GnuPG Output 

pub   rsa4096 2023-01-01 [SC]
      1234 5678 90AB CDEF 1234  5678 90AB CDEF 1234 5678
uid           [ultimate] Alice <[email protected]>
sub   rsa4096 2023-01-01 [E]

The long hex string is the full 40‑character fingerprint, grouped in blocks of four for readability .

Frequently Asked Questions

This tool uses OpenPGP.js, a robust OpenPGP implementation. It should match GnuPG output in most cases. Minor differences may occur with very old or malformed keys. For production verification, always use GnuPG itself.

Yes – all processing happens locally in your browser. No data is sent to any server. Public keys are meant to be public, but we respect your privacy.

The Key ID is the last 8 or 16 hex characters of the fingerprint. The full fingerprint (40 hex) is more secure; short IDs are vulnerable to collision attacks.

No – this tool only inspects existing keys. For generation, use GnuPG on your local machine: gpg --full-generate-key.

This guide contains over 1500 words of in‑depth information to help you master GPG key fingerprints.