In this article:
Those keys can be used to verify the downloaded files, signed email and messages, as well as contact me privately.
My PGP key is available at the following locations:
All these files should contain the same set of keys. If one of them differ, something fishy is most likely occurring.
In most situations, fetching and importing my key should be something as simple as executing the following command:
gpg --search-keys whitewinterwolf
In some environment, the port used by default to fetch PGP keys (HKP protocol on port TCP-11371) may not be available. In such cases switch to a server offering the port 80 instead:
gpg --keyserver hkp://p80.pool.sks-keyservers.net:80 --search-keys whitewinterwolf
Depending on your
gpg configuration, this should list you the public keys
matching the provided keyword on the SKS Keyservers.
As for now, only a single set of keys matches: mine.
I encourage you to check the keys from at least to distinct sources to ensure its authenticity.
- Key ID:
B45A CC0B 6E7A 732A EA5E 4A41 DB4B 188B 0030 8E1C
- Validity period: created: 2017-12-05, expires: 2018-12-05
- Type: RSA-4096 (more information).
Once my PGP key has been imported in your keyring, use the following command to check your downloaded file:
gpg --verify-options pka-lookups --verify tosig.sig tosign.txt
If you want to quickly be able to use encrypted or signed email without delving into technical details, follow the Email Self-Defense guide published by the Free Software Foundation. This is a practical step-by-step guide based on Thunderbird and the Enigmail plugin with an automated bot allowing you to train your newly acquired skills.
If you want to go further with PGP, I especially recommend you the following articles:
John Michael Ashley’s The GNU Privacy Handbook, hosted on the GnuPG project website, provides a first approach to GPG.
Debian Wiki article Using OpenPGP subkeys in Debian development provides procedures to create safer keys, notably through the use of subkeys.
Riseup’s OpenPGP Best Practices provides advices to get the most benefits from GPG. The same website also hosts other articles on GPG keys usage and life-cycle.
Also note that some systems offer a specific integration of PGP, such as Qubes OS’s Split GPG which allows to isolate the keyring from other applications and from the network in a somewhat similar way as a software-based HSM.