Creating a strong new PGP keypair and post it on Keybase
The learning curve for PGP is steep. It took me a while to get the basics and
understand how to use gpg
, but the real problem was: I was afraid to do
something the wrong way and end up with, you know, my private key
published. Ups!
I still am, but some really good tutorials helped me to create a new better PGP keypair. Yes, I removed the old one. Also Keybase makes many things easier and I wanted to create something nice and clean this time.
My Keybase profile now holds my new public key.
Hmm, what is this PGP/GnuPG?
Check this comprehensive tutorial. I’m going to assume that you know approximately how to use it from here on.
If this is too complicated to you, just don’t use it! Use Signal instead, which is far more secure and easier to use. Go on only if you really need PGP/GnuPG
Creating a new keypair with subkeys and strong hashes
This excellent post by Alex Cabal explains really clearly how to create a keypair known as your master keypair that generates the subkeys you will actually use on your computer/phone. This allows revoking just the subkeys instead of the master keypair if your machine gets stolen. Check it out, it’s not that hard, actually.
The article is based on the Debian Wiki page about subkeys which holds a little more information but not so clearly explained.
Inserting a small enough picture in the public key
Simon Josefsson explains the way he did to drastically cut the size of the picture he inserted in his public PGP key. It helped me a lot to reduce mine to avoid the “The image is really big” error.
Adding more UIDs (e-mail addresses) on the key
Since I use more than one e-mail address, to simplify the whole PGP thing, I use one key for many addresses. Kate’s comment has a nice post about adding more addresses into on key while the StackExchange answer is obviously more direct.
Remember to choose the correct primary address. To rearrange the many addresses in a nice order (but it has no value for the protocol), follow this trick.
More PGP best practices
There is a huge list of things one should or should not do with the PGP keypair, such as not relying on the key ID but on the fingerprint. Completely worth reading!
Using the gpg
command or… create OS X shortcuts
The
Digital Ocean guide
is pretty clear on how to use the gpg
command, while
this really nice Gangi article
explains how to set up some OS X keyboard shortcuts to
encrypt/decrypt/sign/verify a PGP text as easily as performing a copy-paste.
Setting AES256
as the default symmetric encryption cipher for gpg
It’s as easy as adding the line cipher-algo AES256
at the end of the gpg
configuration file, which is in ~/.gnupg/gpg.conf
.
Putting all on Keybase and on a keyserver
Keybase offers a PGP keyserver that cross-check and confirms your identity “the social way”, while keeping the whole website and command line tool open source which is a huge plus. Also, they always ask you: if you want to give them your private key to use advanced functionalities of their website, no problem - they will encrypt it. But if you don’t trust them enough, just don’t do it and it’s completely fine! To use their site, just follow their tutorials.
Upload the key also to a
keyserver. I like this one: hkps.pool.sks-keyservers.net