Last Updated: April 2, 2018
(Key last refreshed on August 24, 2015 with expiry on January 1, 2020.)
PGP (Pretty Good Privacy) is a protocol that allows people to encrypt messages to one another so that other people can’t read them. It also allows you to ‘sign’ messages so that other people who use PGP can tell with absolute certainty that the message actually comes from the sender (it hasn’t been forged) and that the message arrived without being tampered with while in transit.
In reality the ‘message’ can be anything: an email, a file, a string of text, a commit in a Git repository – essentially PGP can be used with all forms of computer data.
There are some other good guides to PGP on the inter-web:
- Wikipedia’s “Pretty Good Privacy” entry.
- “How to Use PGP for More Secure Email“, by Wall Street Journal reporter Jennifer Valentino-DeVries.
- The Electronic Frontier Foundation’s PGP tutorials for Windows, Mac, and Linux.
- “How PGP works“, from the “Introduction to Cryptography” book.
My main use of PGP is to post public verifiable messages and to sign my Git commits. I also use it to encrypt my personal backups since they are often uploaded to third-party cloud services for long-term storage/archive off-site. Additionally, some of the organisations I am a member of use Keybase coupled with PGP for sharing files and storing credentials.
My GPG Key
22707ACC is my primary PGP key — click here to download it. If you’re happy to manipulate gpg from the terminal then you can try one of the following commands which should all achieve the same thing:
$ gpg --fetch-keys https://media.charliejonas.co.uk/22707ACC.asc
$ gpg --recv-keys 99E8D0A47676A198448BA2391608A2A122707ACC
$ curl https://keybase.io/CHTJonas/key.asc | gpg --import
You can corroborate the legitimacy of this key by finding it on other sources, by verifying it with me in another medium, and checking account ownership proofs via my Keybase account. This key is also available on most keyservers.
You should always check the full key fingerprint to ensure that you have the correct key:
$ gpg --list-keys --fingerprint 22707ACC
pub rsa4096 2015-08-24 [SC] [expires: 2020-01-01]
99E8 D0A4 7676 A198 448B A239 1608 A2A1 2270 7ACC
uid [ultimate] Charlie Jonas <firstname.lastname@example.org>
uid [ultimate] Charlie Jonas <email@example.com>
uid [ultimate] Charlie Jonas <firstname.lastname@example.org>
uid [ultimate] Charlie Jonas <email@example.com>
uid [ultimate] [jpeg image of size 14293]
uid [ultimate] [jpeg image of size 48247]
uid [ultimate] [jpeg image of size 226805]
uid [ultimate] Charlie Jonas <firstname.lastname@example.org>
sub rsa4096 2015-08-24 [E] [expires: 2020-01-02]
The exact output may vary depending on your OS platform, key signature & trust settings and client software. The full key is quite large due to the fact that is has embedded images in it. Adding them to my key is a decision I regret to this day!
I’m generally happy to sign other people’s keys. If I don’t already know you or haven’t known you for a substantial period of time then I usually ask to see multiple forms of government-issued or approved photo ID and/or recent utility bills. In any case I’ll need to confirm that you can encrypt/decrypt and sign with the key that I’m certifying.
There are four different certification types in the PGP spec:
- Generic (“sig”): the issuer of this certification has not stated how well they have checked that the owner of the key is in fact the person described by the User ID. I do not use this.
- Persona (“sig1”): the issuer of this certification has not done any verification. I do not use this certification type.
- Casual (“sig2”): The issuer of this certification has done some casual verification. Something like a business card containing the key ID or fingerprint, or an in-person confirmation of the name and fingerprint at a key signing party.
- Positive (“sig3”): The issuer of this certification has done substantial verification of the claim of identity. I’ve confirmed the person is who they say they are (I have either directly known this person over a long period of time and trust their identity, or I have seen some strong form of identification such as a government-issued photo ID that I believe to be real).
This page is based on Mike Tigas’ PGP page (CC BY-NC-SA 4.0) which you can find here: https://mike.tig.as/pgp/.