PGP
My PGP public key is published here, or you can use curl
and gpg
command to import it:
curl https://keybase.io/essethon/pgp_keys.asc | gpg --import
It is also published via Web Key Directory (WKD).
Fingerprint: 0DA1 55F8 64E2 605C 67FF 9021 EB40 D90B 1D28 E872
.
My use cases
I use GPG (the open source implementation of OpenPGP standard) occasionally for the following purposes:
- Signing Git commits.
- Encrypting some sensitive files (e.g., Beancount as my personal ledger) before uploading them to the Internet (e.g., GitHub). Some Git repositories are encrypted with git-crypt.
- Encrypting passwords with password manager pass.
Most of my everyday emails are not end-to-end encrypted (E2EE) because (1) I find it complex and adds significant overhead, especially in terms of backup management and full-text search; (2) few email senders use E2EE. When transmitting sensitive information, I believe that there are many more security concerns to consider beyond just using a specific encryption tool. Nonetheless, I’m open to receiving/sending encrypted emails (for fun).
Additional notes on signing Git commits: Since Git 2.34 and OpenSSH 8.0, SSH keys can be used for Git commit signing. I sometimes use this signing method to simply verify the commit authorship against my GitHub/GitLab account (where I have registered my SSH public key) without concern for PGP’s Web of trust concepts.
Master key and subkeys management
- In addition to being protected by a passphrase, the private master key is backed up in an encrypted, mostly offline external storage device. I rarely mount that device to my personal computer.
- The private master key is also stored in
YubiKey B
which is typically kept at my home and not carried with me when I go out. Additionally, a strongPIN
is set forYubiKey B
. - Whenever the private master key is required (e.g., certifying others’ UIDs or renewing my subkeys), I plug in
YubiKey B
to complete the operation. This ensures that the private master key never leaves the YubiKey and never appears unencrypted in my computer’s main memory. - Given the low risks of leaking or losing the private master key, I haven’t set an expiration date for it.
- Private subkeys are stored in
YubiKey A
with a shortPIN
for everyday use (signing, decrypting). These subkeys can be renewed or revoked by the private master key.