GPG

Let’s first define some vocabulary that I routinely mix up: GnuPG, also known as GPG—Gnu Privacy Guard—is a free implementation of the OpenPGP standard, also known as PGP—Pretty Good Privacy. I have been using GPG for years now, but never really understood what I was doing. It’s high time to change that, so I spent the morning with a little research on how to set up GPG properly.

My goal was to create all the keys necessary to

• encrypt my emails (ProtonMail is providing me a key, but I wanted to set things up from scratch),
• use pass,
• and sign my Git commits,

all while sticking to best practices.

This is a living note that I will revisit as I learn more. For now, here is what I did:

1. What keys do I already have: gpg -K --keyid-format long
2. Create a key: gpg --full-generate-key
   • RSA with 4096 bytes
   • As the UID I used my real name, email address, and the comment “personal.” I have minimal privacy concerns here. I am not using this key for anything too sensitive and I need to expose these information on this very website anyway to comply with German law.
   • Chosing a passphrase proved to be a bigger challenge than anticipated: Usually I would create a 32-character random password and that’s it. But I had to enter this passphrase so many times that I decided to find a way to create passphrases that are secure and easy to remember. I stumbled upon Diceware and went with it.
   • After the key got created, I realized that it consists of one main key for signing and certifying and one subkey for encrypting. I learned more about subkeys; they seem great and allow you to put your main private key somewhere really secure while only using subkeys for your day-to-day work.
3. Create another subkey, but for signing: gpg --edit-key KEY_ID addkey
   • RSA (sign only) with 4096 bytes
   • Expires after five years
   • Do not forget to save
4. Backup your .gnupg directory with the main private key in it! You will need it again to create new subkeys, for example.
5. Delete the main private key: rm ~/.gnupg/private-keys-v1.d/KEY_ID.key
   • gpg -K now prints sec# instead of just sec next to the private key. That means it is not really there anymore.
6. Change the passphrase: gpg --edit-key KEY_ID passwd
   • This way your main key is still safe even if your everyday passphrase is compromised, because it is secured with the passphrase from step 2.

To summarize, I now have a subkey for encrypting emails and passwords and a subkey for signing my Git commits while my main key is tucked away safely. Great!

Next up, I am letting my software know about these new keys:

• Sign Git commits: git config --global user.signingkey KEY_ID!
  • The ! is no accident and crucial to pick up the correct subkey for signing.
• Add public key to Sourcehut
  • I was a bit surprised that my exported public key always looked the same regardless of the key ID (main key or subkey) I provided. Apparently the spec dictates that exported public keys always include the main public key. There seem to be ways around this, though.
• Import private key into Proton Mail
  • Export private key from GPG: gpg --export-secret-key KEY_ID > FILE
• Initialize password manager: pass init KEY_ID