Security

For any developer, there are two common security keys; SSH keys and PGP keys. These are quick notes on the 2 to cut through the noise.

PGP

PGP is the standard, it has an RFC. Don't confuse it with GPG or GnuPG which is an implementation of PGP. GnuPG commands will be used a lot below.

The easiest way to generate a key is:

export IDENTITY_EMAIL=user@example.com
export ENC_TYPE=ed25519  # rsa4096 is okay
export LENGTH=2y  # good default, change to suit your security needs
export USAGE=sign # maybe can change this (like to have the encryption key be the same, but sign is the default

# this will prompt for an optional passphrase, it can be left blank.
gpg --yes --quick-generate-key $IDENTITY_EMAIL $ENC_TYPE $USAGE $LENGTH

# only works with a brand new keystore, otherwise the tail/head lines will be off.
export FINGERPRINT=$(gpg -k | tail -3 | head -1 | xargs echo)

# creates an encryption sub key
gpg --yes --quick-add-key $FINGERPRINT $ENC_TYPE

# export the public key to a shareable format.
# if you need to export the private key, change `--export` to `--export-secret-keys`
gpg --export --export-options backup --armor --output ~/$IDENTITY_EMAIL.public.key $FINGERPRINT

After running these commands, the raw key data will be in ~/.gnupg, but this can be changed.

# individual command
gpg --homedir /somewhere/else/.gnupg

# all commands
export GNUPGHOME=/somewhere/else/.gnupg

Testing PGP Functions

# encrypt
echo "test message string" | gpg --encrypt --armor --recipient $FINGERPRINT -o encrypted.txt

# decrypt, the yubikey must be inserted, you'll need to enter the PIN.
gpg --decrypt --armor encrypted.txt

# sign, you need yubikey and PIN.
echo "test message string" | gpg --armor --clearsign > signed.txt

# verify
gpg --verify signed.txt

SSH

SSH keys are separate and typically used for connecting to other servers to issue commands or copy files.

export IDENTITY_EMAIL=user@example.com
export ENC_TYPE=ed25519

ssh-keygen -t $ENC_TYPE -f ~/.ssh/${IDENTITY_EMAIL}_id_ed25519 -C $IDENTITY_EMAIL

# or RSA for older servers
ssh-keygen -t rsa -b 4096 -f $KEY_NAME -C $KEY_NAME

Alternatives?

There is some agreement in communities that PGP has footguns and can be painful to deal with. But it is still the industry standard. A viable alternative doesn't exist, yet.

However, progress is being made in areas. Modern encryption solutions like age are gaining popularity and may become viable one day. It seems to fit most use cases I come across where I need to reach for PGP. But as the age author has pointed out, it doesn't do everything (only fair to say, it was never the author's intent for age to do everything).