Ditching GPG

I've been a user of GPG for over a decade if I recall. Been through some trials and tribulations with keychain issues (admittedly mostly PEBKAC) and even switched to using a hardware token for storing my keys on to increase security.

The issue is, the folk I am primarily in contact with don't use GPG. One friend maintains a keychain himself but our communications are over Telegram for the most part. I have had more encrypted emails from Facebook than all other contacts put together. Say what you will about other communications systems and their cryptography (or lack thereof) but they just get out of the way and let me get my messages out to people.

So I am thinking I will ditch the use of GPG. I see no utility in keeping a keychain up to date with subkeys and expiries and moving things to the token etc for one person I don't communicate with on that medium.

If anyone has a really good reason for me to expend effort in maintaining my keychain then please contact me, ideally using GPG. Otherwise I will likely revoke my keys some point this week.


Something went wrong with my gpg keychain.

Needless to say I have completely regenerated my keychain and moved the subkeys to a smartcard for increased security. New public key (fingerprint: 116D B25C A5C4 73C5 3262 BEDC 8322 D167 9829 59BF) is in the same place as always.

Now to resume the regular flow of nobody using gpg to encrypt emails to me.



Updated GPG Public Key

Just a quick note to say my GPG public key has been updated. Same fingerprint and key ID but I added an authentication subkey.

Also, I am in the process of migrating to a hardware token for increased security so my keychain will be completely regenerated at some point, once I have ironed out all the kinks and done some more research. Will keep you posted.


Cryptographic ID

A couple days ago, Peter posted about having a record of cryptographic information that folk can use to verify that he is who they think they are communicating with. I thought this was a good idea and set about creating my own record.

The idea is broadly similar to Keybase but doing it this way means I am not relying on their system for providing verification. It does mean that there is less automation involved but it should be workable for everyone who uses GPG/PGP.

For the record, my current GPG key setup is less than ideal. The private key is held on my daily use machine which is not the most secure method. I have ordered a set of smart cards and a USB reader and I will regenerate my keys to be used on them on an air-gapped computer, likely running Libreboot. When this happens, I will update the id file with my new public key fingerprint and also sign the file as before.


I fail at subkeys

My buddy Scott and myself have been trying to get his GPG system set up. Signing to him works, he can sign mails to me, I can encrypt mail to him. He can't send encrypted mails to me.

Long story short, my encryption subkey expired a few months ago. In my defence, "expires" and "expired" look bloody similar in a monospaced font on a terminal. I've extended the expiry date.
Grab my updated key here or do gpg --recv-keys BAF45865 to update.