I have published my public PGP keys below for my two main email addresses. I have also published my PGP keys in the MIT directory pgp.mit.edu as well that are linked to the same email addresses. If at any time I need to revoke a certificate, it will be revoked there.
I will also be on Dark Mail (if) and when it launches and will update this page with my public key(s) from it as well.
Therefore to keep up with any changes to my PGP and Dark Mail keys, you may want to subscribe to updates of this page at GitHub.
Public Key (copy this chunk to a file)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76
1 2 3 4
You can use my public key to send me encrypted messages and files. The fingerprint is used to validate my identity (over video chat, in person, etc).
Verifying Me: Eric Duncan, aka eduncan911
You can use the fingerprints above to verify the PGP key if you trust my website to be an authoritative source.
To verify that my website has not been tampered with, you may review the commit history on GitHub for any updates other than me along with the datetime of the last updates:
This link shows this actual page you are viewing right now as it is being hosted directly on GitHub Pages (GitHub served you this page, as you are reading it).
Therefore, it can be safe to assume verification of my fingerprint by viewing any tampering or updates to this file in the commit history listed on GitHub.
My GitHub account is protected by two-factor authentication so you can assume that my username/password has not been compromised for an unauthorized update to this page.
I am archiving a list of
gpg2 commands I use from time to time for me when setting up new systems, generating new keys, revoking, etc. Feel free to use them as you wish.
Most of these I have sourced from Alan Eliasen and I highly advise you read that link.
Generate a New Key
Make sure to pick 4096.
Use Stronger Algorithms Before Posting the Public Key
These sets of commands will change the algorithm used even though GnuPG Version 2 already upgraded it to pretty strong ones. That Version 2 upgrade though doesn’t allow for older weaker encryptions possibly used by other addressees in the same email. Therefore by setting the chain below, we stay compatible with older versions of GnuPG software that uses weaker algorithms by default that happen to be addressed in the same email (e.g. mostly Windows users).
1 2 3 4 5 6
Generate a Revocation Key
Be smart and generate a revocation key and store it indefinitely in a secure location so you don’t look like an idiot.
Export your Public Key to Share With Others
Now that you have updated the algorithms and setup a revocation certificate, your public key is ready to be published.
Save this to a file named something like
pubkey.asc, as the
tells others that this is in ASCII format.
Uploading your Public Key to the WOT
You may want to publish your public key to online servers known as the Web of Trust (WOT). This creates the availability of your public key should you send an email to someone that didn’t include your public key.
First thing is, unlike most other commands here, you can only do this with your keyid – not your email address. Your keyid is located by looking at your fingerprint and exporting a short keyid with it:
1 2 3
In the output above, we can see my short KEYID is printed after
We take this
A510AA8C and issue a command to send your public key to the
servers. Note: replace the your-KEYID-here with your short fingerprint. E.g.
mine was A510AA8C in the example above.
Fingerprint: Verifying Identities
So that others can verify your identity, generate a fingerprint that you can carry in your wallet, show over Skype video chat, etc.
Use the command above to print out the fingerprint of other people’s fingerprint for verification.
Backing up a Secret Key
One method is to export your key as ASCII that allows you to print it (for rescanning later as it would be error prone to type it manually), or to store it in a key store (which in itself may be a bad idea).
Optionally, you can specify
--output filename to dump it to a file.
Signing Someone’s Public Key for Local Usage
So get rid of the warnings in email clients, signing the public key tells your system that you have verified and you trust the public key.
Or for trusting someone on a low level:
Import Someone’s Signing of Your Public Key
After someone verifies who you are, they may want to send you a signed certificate. You can import this signed certificate locally for any emails you send to them in the future.
Locally Signing Someone’s Key
If you don’t care about verifying the identity of a person’s public key, you can just locally signing their public key blindly ignoring it.
Publishing your Public Key
You may want to publish your key using GnuPG’s command line, especially to multiple servers.
The Web of Trust dictates good practice of personally verifying someone’s PGP keys by publishing your signed version of their PGP key publicly. Once you sign their key using the procedures above, you can publishing their key using the same —send-keys method above.
Encrypting a File
You can encrypt files using PGP.
If you want to be able to decrypt the file in the future, you must add your own email address to the list of receiptents. The
-r does this for you.
But say you want to one-time encrypt something to send. Most email clients keeps a Sent history (if you are sending it in email). You don’t want this! What if your private key gets compromised and a few years goes past – then, someone with that old private key has the ability to decrypt that old email archived off in your Sent folder.
Therefore, you can omit your own email address. Just remember you will never be able to decode it – ever.
Alternatively, you can encrypt it with —armor that will print out the contents in ASCII mode, making it easier to paste into a text file or email.
That’s about it for the tips.
There is a lot of reasons I skipped over that is listed on Alan Eliasen’s site. I pretty much consider it required reading before I trust you as a PGP sender.