GnuPG (GNU Privacy Guard, or simply GPG) is an implementation of the OpenPGP standard as described in RFC4080.
Typical Use Cases
- End-to-end encryption (E2EE) on supported services
- Code signing via git (see GitHub’s tutorial)
- Authenticating to SSH servers
- Encrypting documents
Best Practices
- Store the primary key offline, and only use subkeys. Your primary key is usually used to change expiration dates on subkeys, add new subkeys, generate revocation certificates, sign others’ keys, etc, none of which you will do on a daily basis, so don’t carry it around.
- Set a expiration date (e.g., 5-7 years) on the subkeys. You can still extend the expiration date or create new subkeys after they expire, but try to leave ample time to do so (e.g., 1-2 years) before actual expiry. This protects the case where you lost the keys and can’t revoke them for any reason. Expiry on the mater key is unnecessary if it’s stored offline.
- Store the subkeys in a hardware key if possible. Note that tools like
ykmanfor Yubikey deletes the local copy of keys when importing, so make sure to make a backup beforehand.- Backup your keys and revocation certificate, ideally in a fireproof container and in multiple places.
- Secure your key with a good passphrase, e.g., 4-6 Diceware words with random extra characters.
Guides
How to set a preferred keyserver URL for your key
- Simply host your public key and make it available at a URL (does not need to be a keyserver).
gpg --edit-key <uid>,keyserver <uri>,save- This helps users refresh the key from a key owner-controlled source when
honor-keyserver-urlis set (note that this option is not on by default).- Alternatively, upload your keys to well-known keyservers such as Ubuntu’s and OpenPGP’s
