Beginner: Seeking help to create the perfect GPG keypair

Hi all.

I’m a new gnupg user and am looking for the best practices (recommended by advanced users) to create and manage my GPG keys.

I read this great article on the topic: Creating the perfect GPG keypair - Alex Cabal, which suggests creating a master key-pair and then a subkey for signing, and a revocation certificate for the master keypair.

The article that I linked to above is from 2013, and some of the content may be outdated. I’m just not sure what is outdated and what isn’t. Any helpful suggestions for advanced users are welcome.

Hi @kapad,

welcome to GnuPG, end to end cryptography and the forum. :slight_smile:

The article you’ve mentioned really is outdated in a few places. I only skimmed it and found two points right away:

  • These days it is easier to use a hardware token, USB based, to protect your private key material. The tutorial seems to build a two layer system which add extra efforts.
  • Do not add pictures to your pubkey. It does not get transfered and not displayed in most situations, and anybody can add your picture to their pubkeys - so it does not help.

However there are many way to construct your security processes and they depend on your needs. Often it is important to keep it as simple as you can so it is actually used. So if you want some extra security, use an USB “smartcard” to keep your private key. But even more important than that would be to communicate your pubkey to your communication partners and chose a good passphrase.

So selecting an email provider that allows others to automatically find your pubkey via WKD (web key directory) could help you to get more encrypted contents in the first place.

Beside this forum, you can also ask on gnupg-users@, see mailinglist, GnuPG - Mailing lists .

Best Regards,
Bernhard

1 Like

Hi @bernhard ,

Thanks for the warm welcome and you answer.

The only times that I have used GnuPG previously, is for work, and I got by with copy pasting commands into build and release scripts.

This is my first time using GnuPG personally. Out of interest, rather than a strong requirement, for either, security or privacy.

Do not add pictures to your pubkey. It does not get transfered and not displayed in most situations, and anybody can add your picture to their pubkeys - so it does not help.

I agree. This doesn’t make much sense. Additionally, from a privacy standpoint, if I were to publish my key, then I would also be publishing my photo.

At the same time, I do want to link additional “social profiles” to my key. I think this may help build trust in my key. At the same time, the online profile that I link to would also need to show my public key on my profile. I know github allows adding DSA/RSA keys, but I’ve never seen them displayed on anyone’s profile.

Any suggestions?

These days it is easier to use a hardware token, USB based, to protect your private key material. The tutorial seems to build a two layer system which add extra efforts.

Thanks for this suggestion, but I don’t have any such device with me, and given that I am simply exploring out of interest, I’ll keep this in mind for later.

Also, I did come across the mailing lists. In fact, I posted in the mailing list for windows, but didn’t submit any questions to the gnupg-users@ list since it was a windows specific question.

I’ve found this series, beginning with the below article, to be extremely helpful and relevant. The first article walks you through generating an ed25519 key pair and exporting it, and the subsequent articles get more in-depth.

Thank you @SunDevil .

I did check that article too. Although I am a total beginner, I do want to set this up with subkeys as I don’t want to use a hardware key right now.

The debian article is the best I have come across so far: Subkeys - Debian Wiki