Let's talk GnuPG Materials

gpg.conf

# Based on:
# - https://www.gnupg.org/faq/gnupg-faq.html
# - https://raw.githubusercontent.com/ioerror/duraconf/master/configs/gnupg/gpg.conf

# If you have more than 1 secret key in your keyring, you may want to
# uncomment the following option and set your preferred keyid.

# default-key KEYID

# If you do not pass a recipient to gpg, it will ask for one.  Using
# this option you can encrypt to a default key.  Key validation will
# not be done in this case.  The second form uses the default key as
# default recipient.

#default-recipient some-user-id
#default-recipient-self

#-----------------------------
# behavior
#-----------------------------

no-greeting

# Disable inclusion of the version string in ASCII armored output
no-emit-version

# Disable comment string in clear text signatures and ASCII armored messages
no-comments

# Display long key IDs
keyid-format long

# List all keys (or the specified ones) along with their fingerprints
with-fingerprint

# Display the calculated validity of user IDs during key listings
list-options show-uid-validity
verify-options show-uid-validity

# Try to use the GnuPG-Agent. With this option, GnuPG first tries to connect to
# the agent before it asks for a passphrase.
use-agent

# When verifying a signature made from a subkey, ensure that the cross
# certification "back signature" on the subkey is present and valid.
# This protects against a subtle attack against subkeys that can sign.
# Defaults to --no-require-cross-certification.  However for new
# installations it should be enabled.

require-cross-certification

keyserver eu.pool.sks-keyservers.net
keyserver-options auto-key-retrieve import-clean-sigs import-clean-uids export-clean-sigs export-clean-uids

#-----------------------------
# algorithm and ciphers
#-----------------------------

# list of personal digest preferences. When multiple digests are supported by
# all recipients, choose the strongest one
personal-cipher-preferences AES256 AES192 AES CAST5

# list of personal digest preferences. When multiple ciphers are supported by
# all recipients, choose the strongest one
personal-digest-preferences SHA512 SHA384 SHA256 SHA224

# message digest algorithm used when signing a key
cert-digest-algo SHA512

# This preference list is used for new keys and becomes the default for
# "setpref" in the edit menu
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

other.md

GnuPG keys:

• https://alexcabal.com/creating-the-perfect-gpg-keypair/
• https://www.gnupg.org/faq/gnupg-faq.html
• https://wiki.debian.org/Subkeys

Use GnuPG for SSH:

• https://linode.com/docs/security/authentication/gpg-key-for-ssh-authentication/
• https://incenp.org/notes/2015/gnupg-for-ssh-authentication.html
• https://www.hanselman.com/blog/DecodingAnSSHKeyFromPEMToBASE64ToHEXToASN1ToPrimeDecimalNumbers.aspx

Versioning secrets:

• https://github.com/StackExchange/blackbox

Password management with GnuPG:

• https://github.com/gopasspw/gopass

rsa-key-length.md

• https://gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096
• https://certsimple.com/blog/measuring-ssl-rsa-keys
• https://www.yubico.com/2015/02/key-size-matter-cryptography/
• https://www.keylength.com/

sign-me.sh

gpg --keyserver eu.pool.sks-keyservers.net \
      --recv-keys '8AAE 1D53 A580 CD38 DA2E  2F89 A232 B103 FA89 6824'
gpg --sign-key '8AAE 1D53 A580 CD38 DA2E  2F89 A232 B103 FA89 6824'
gpg --keyserver eu.pool.sks-keyservers.net \
      --send-keys '8AAE 1D53 A580 CD38 DA2E  2F89 A232 B103 FA89 6824'