#PGP
If you are reading this, you have taken the first step towards encryption self-righteousness. The steps below are my preferred method for configuration after years of suffering through alternative, more archaic/byzantine steps.
Note, if you already have a PGP key, skip to step #4. Second note: I know UNIX best, so I’m not going to embarrass myself by attempting to write a windows guide. The good people over at EFF have your back: How to: Use PGP for Windows | Surveillance Self-Defense
[A point of clarification: PGP stands for pretty good privacy and is the original underlying protocol, GPG stands for Gnu Privacy Guard, and is an open source program that is compliant with PGP; the two acronyms are often used interchangeably.]
- Download your GPG client
- Create a public/private key pair
- Open GPG Keychain
- Click new key, enter your email address [I associate all of my known addresses, they can be added later on if needed]
- I’d strongly recommend setting a passphrase. [This means if anyone gets your private key, they wouldn’t be able to decrypt or sign anything with it without the passphrase. ]
- Store the passphrase in a password manager.
- Set the length to the longest possible (4096)
- Set an expiration date
- Send public key to keyserver [So that your teammates/friends/confidants can retrieve it]
- Within GPG Keychain, highlight your key pair in the menu, go to Key > Send Public Key to Key Server
- Upload your public key to your Github Account: Add GPG Key · GitHub
- Set up GPG signing by default for commits: How to set up git to use the GPG Suite · GitHub
- ^ This is a great guide, and the one I followed initially. The command to use pinetry-program is to save your passphrase so you don’t have to re-enter it on every commit. This is optional.
- A bit more about signing commits: Signing commits with GPG - User Documentation
- [note: I have git aliases set up in bash, so that
$ gc
in git is$ git commit -S
so that everything is signed by default.]
- Verify that commits have been signed in a repo
- This can be done in the GitHub interface or via command line with:
$ git log —-show-signature
- This can be done in the GitHub interface or via command line with: