Why I generated a GPG Key

4 minute read – posted on March 24, 2016 by Zack Orndorff

So if you’re here, you’re probably one of three types of people. Most likely is that I sent you here because you were wondering why the heck I mentioned this on social media. It’s also possible that you actually care about why I generated a GPG key. I happen to like my explanation, and I hope you do too :) Additionally, in the unlikely case that you just want my key, you can find it at the bottom of the post.

As a result, before I actually answer the question in the title, I should probably answer something else first: What the heck is a GPG key?

What’s a GPG key?

GPG stands for GNU Privacy Guard… and there’s a ton of history that I won’t spend the space to explain. It’s an encryption program. A GPG key has two parts: a public key and a private (or secret) key. You spread the public key as far as you want (I’ve published mine below), and you keep the private key secret.

Then, people can use your key and they can send you messages only you can read. (You also can create a message and prove you wrote it, with a process called signing.)

Why I have one

Ok, that’s great, I guess. Now why do you need one again?

Well, that’s an interesting question. I’ve got a few reasons.

First, by analogy, encryption, for nerds, is a bit like guns for um… people that like guns. You can use it to make your life better (such as allowing you to keep criminals from reading your taxes), just like you can use a gun as a tool (to hunt deer, or some other game). You can also just have it, for the simple reason that you’re a free man and you can. Do I actually think I need to be able to encrypt my emails such that no other soul on the earth can read them? Well, no, but does anyone really need (insert your favorite slightly controversial weapon)? Maybe not (I don’t know what you picked, and that’s not what this article’s about anyway), but people have it/them because they can. Finally, in the unlikely scenario that the world as we know it falls apart, secure communication may come in handy. Well… Personally, I’d take the gun in that situation… but that’s not the point.

Practically speaking, I can now securely store sensitive documents so that only I can read them. Also, if by some freak accident, I end up writing a piece of software that becomes popular, I can sign the source code so people know it’s from me. And also, if I needed to talk to someone about my bank account number or something, and they had a GPG key, we could communicate securely.

About my key

I generated my key on my laptop, and I’ve uploaded it to a few different places. Its “fingerprint”, a short set of numbers that uniquely identifies it, is 8BCF 4423 CBAF 7F6C 60E3 BBA0 3238 40E9 FC31 AFAA. You can use it to verify that the key you have is really mine, and not fake.

I’ve uploaded it to some GPG keyservers, and to Keybase here: https://keybase.io/chainsaw10/

Keybase

So you might have seen a social media post about “verifying myself” or something like that. That has to do with Keybase (link above ^^^).

Keybase is a company that’s trying to make cryptography possible for less extremely technical people. They’ve done a decent job, and it’s pretty cool. The only negative comment I have at the moment is that you should NEVER under ANY circumstances upload your private key somewhere you don’t control, even in encrypted form. They offer a feature that allows just that, so I’d recommend against using it. Otherwise, it’s cool to see someone trying to make cryptography a bit more friendly. Hopefully they can succeed in a way that doesn’t force them to ruin their serviceĀ (through really ugly ads or something) in the process.

So Keybase’s idea is that you prove that you control various online accounts, and if people know you there, they can personally verify those proofs and have some level of assurance that your keys belong to you. It’s an interesting concept; I’m interested to see how it works out.

More-Technical Details

(Most of the following information will probably only be relevant to people that know what to do with it.)

GPG key fingerprint: 8BCF 4423 CBAF 7F6C 60E3 BBA0 3238 40E9 FC31 AFAA

Download link: https://zackorndorff.com/downloads/zack.public.gpg-key (Or get it from your favorite keyserver)

It’s 4096 bit RSA, with two subkeys so the main key can be kept nominally offline, as explained here.

Categories: security

Tags: cryptography gpg