Creating a strong new PGP keypair and post it on Keybase

12 February 2016, edited 26 July 2016, ~3 minutes to read

The learning curve for PGP is steep. It took me a while to get the basics and understand how to use gpg, but the real problem was: I was afraid to do something the wrong way and end up with, you know, my private key published. Ups!

I still am, but some really good tutorials helped me to create a new better PGP keypair. Yes, I removed the old one. Also Keybase makes many things easier and I wanted to create something nice and clean this time.

My Keybase profile now holds my new public key.

Hmm, what is this PGP/GnuPG?

Check this comprehensive tutorial. I’m going to assume that you know approximately how to use it from here on.

If this is too complicated to you, just don’t use it! Use Signal instead, which is far more secure and easier to use. Go on only if you really need PGP/GnuPG

Creating a new keypair with subkeys and strong hashes

This excellent post by Alex Cabal explains really clearly how to create a keypair known as your master keypair that generates the subkeys you will actually use on your computer/phone. This allows revoking just the subkeys instead of the master keypair if your machine gets stolen. Check it out, it’s not that hard, actually.

The article is based on the Debian Wiki page about subkeys which holds a little more information but not so clearly explained.

Inserting a small enough picture in the public key

Simon Josefsson explains the way he did to drastically cut the size of the picture he inserted in his public PGP key. It helped me a lot to reduce mine to avoid the “The image is really big” error.

Adding more UIDs (e-mail addresses) on the key

Since I use more than one e-mail address, to simplify the whole PGP thing, I use one key for many addresses. Kate’s comment has a nice post about adding more addresses into on key while the StackExchange answer is obviously more direct.

Remember to choose the correct primary address. To rearrange the many addresses in a nice order (but it has no value for the protocol), follow this trick.

More PGP best practices

There is a huge list of things one should or should not do with the PGP keypair, such as not relying on the key ID but on the fingerprint. Completely worth reading!

Using the `gpg` command or… create OS X shortcuts

The Digital Ocean guide is pretty clear on how to use the gpg command, while this really nice Gangi article explains how to set up some OS X keyboard shortcuts to encrypt/decrypt/sign/verify a PGP text as easily as performing a copy-paste.

Setting `AES256` as the default symmetric encryption cipher for `gpg`

It’s as easy as adding the line cipher-algo AES256 at the end of the gpg configuration file, which is in ~/.gnupg/gpg.conf.

Putting all on Keybase and on a keyserver

Keybase offers a PGP keyserver that cross-check and confirms your identity “the social way”, while keeping the whole website and command line tool open source which is a huge plus. Also, they always ask you: if you want to give them your private key to use advanced functionalities of their website, no problem - they will encrypt it. But if you don’t trust them enough, just don’t do it and it’s completely fine! To use their site, just follow their tutorials.

Upload the key also to a keyserver. I like this one: hkps.pool.sks-keyservers.net

Categories: Privacy and Security
Tags: GnuPG // PGP // Keybase // Privacy // Security // E-mail