I have published my public PGP keys below for my two main email addresses. I have also published my PGP keys in the MIT directory pgp.mit.edu as well that are linked to the same email addresses. If at any time I need to revoke a certificate, it will be revoked there.
I will also be on Dark Mail (if) and when it launches and will update this page with my public key(s) from it as well.
This link shows this actual page you are viewing right now as it is being hosted directly on GitHub Pages (GitHub served you this page, as you are reading it).
Therefore, it can be safe to assume verification of my fingerprint by viewing any tampering or updates to this file in the commit history listed on GitHub.
My GitHub account is protected by two-factor authentication so you can assume that my username/password has not been compromised for an unauthorized update to this page.
I am archiving a list of gpg2 commands I use from time to time for me when setting up new systems, generating new keys, revoking, etc. Feel free to use them as you wish.
Most of these I have sourced from Alan Eliasen and I highly advise you read that link.
Generate a New Key
Generate a PGP Key using GnuPG
Make sure to pick 4096.
Use Stronger Algorithms Before Posting the Public Key
These sets of commands will change the algorithm used even though GnuPG Version 2 already upgraded it to pretty strong ones. That Version 2 upgrade though doesn’t allow for older weaker encryptions possibly used by other addressees in the same email. Therefore by setting the chain below, we stay compatible with older versions of GnuPG software that uses weaker algorithms by default that happen to be addressed in the same email (e.g. mostly Windows users).
Now that you have updated the algorithms and setup a revocation certificate, your public key is ready to be published.
Get the Public Key
gpg2 --armor --export email@example.com
Save this to a file named something like pubkey.asc, as the .asc extension
tells others that this is in ASCII format.
Uploading your Public Key to the WOT
You may want to publish your public key to online servers known as the Web of
Trust (WOT). This creates the availability of your public key should you send
an email to someone that didn’t include your public key.
First thing is, unlike most other commands here, you can only do this with your
keyid – not your email address. Your keyid is located by looking at your
fingerprint and exporting a short keyid with it:
Short KEYID with Fingerprint
gpg2 --fingerprint --keyid-format short firstname.lastname@example.org
pub rsa4096/A510AA8C 2014-08-13 [SC]...
In the output above, we can see my short KEYID is printed after
the rsa4096/ portion: A510AA8C.
We take this A510AA8C and issue a command to send your public key to the
servers. Note: replace the your-KEYID-here with your short fingerprint. E.g.
mine was A510AA8C in the example above.
So that others can verify your identity, generate a fingerprint that you can carry in your wallet, show over Skype video chat, etc.
Print your Fingerprint
gpg2 --fingerprint --keyid-format long email@example.com
Use the command above to print out the fingerprint of other people’s fingerprint for verification.
Backing up a Secret Key
One method is to export your key as ASCII that allows you to print it (for rescanning later as it would be error prone to type it manually), or to store it in a key store (which in itself may be a bad idea).
Exporting a Secret Key for Backup
gpg2 --export-secret-key --armor
Optionally, you can specify --output filename to dump it to a file.
Signing Someone’s Public Key for Local Usage
So get rid of the warnings in email clients, signing the public key tells your system that you have verified and you trust the public key.
The Web of Trust dictates good practice of personally verifying someone’s PGP keys by publishing your signed version of their PGP key publicly. Once you sign their key using the procedures above, you can publishing their key using the same —send-keys method above.
Encrypting a File
You can encrypt files using PGP.
Encrypt a File
gpg2 --encrypt --sign -r firstname.lastname@example.org filename
If you want to be able to decrypt the file in the future, you must add your own email address to the list of receiptents. The -r does this for you.
But say you want to one-time encrypt something to send. Most email clients keeps a Sent history (if you are sending it in email). You don’t want this! What if your private key gets compromised and a few years goes past – then, someone with that old private key has the ability to decrypt that old email archived off in your Sent folder.
Therefore, you can omit your own email address. Just remember you will never be able to decode it – ever.
Alternatively, you can encrypt it with —armor that will print out the contents in ASCII mode, making it easier to paste into a text file or email.