Putting my gpg key on my yubikey
Why GPG?
In an age where digital identities are easily faked and impersonation is just a few clicks away, I decided to take a step forward in securing mine. GPG (GNU Privacy Guard) provides a robust way to authenticate, encrypt, and sign digital content. In this post, I’ll walk you through how I:
- Created a GPG key pair
- Set up subkeys and stored them on my YubiKey
- Published my public key on my website
- Signed and encrypted personal documents for secure public sharing
- Configured email signing using GPG
Step 1: Installing GPG
To start, I made sure GPG was installed. Here’s how I did it on each of my systems:
On Ubuntu/Debian:
sudo apt update && sudo apt install gnupgOn Fedora 40:
sudo dnf install gnupg2On OpenBSD 7.6:
doas pkg_add gnupgCheck your installation:
gpg --versionStep 2: Creating My GPG Key Pair
I created a new key using:
gpg --full-generate-keyHere’s what I chose:
- Key type:
ed25519(modern and compact) orRSA and RSA(widely compatible) - Key length: 4096 bits (if RSA)
- Expiration: 2 years (I can always renew)
- My real name or handle
- My preferred contact email
- A strong passphrase, saved in a password manager
After generating the key, I listed it and saved the fingerprint:
gpg --list-keys --fingerprint
gpg: "Trust-DB" wird überprüft
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: Tiefe: 0 gültig: 1 signiert: 0 Vertrauen: 0-, 0q, 0n, 0m, 0f, 1u
gpg: nächste "Trust-DB"-Pflichtüberprüfung am 2026-08-04
[keyboxd]
---------
pub ed25519 2025-08-04 [SC] [verfällt: 2026-08-04]
A371 9309 4ED4 B0E6 AD2E 5022 D7D6 4842 8DBD 39FD
uid [ ultimativ ] Dirk.L (Dirk.L's official key) <polymathmonkey@keksmafia.org>Step 3: Creating Subkeys and Moving Them to My YubiKey
I created subkeys for:
- Signing
- Encryption
- Authentication
Then, I moved the subkeys to my YubiKey using GPG’s interactive editor:
gpg --edit-key Dirk.L
gpg> addkey <- once for signing, engryption, auth
gpg> keytocard
gpg> save⚠️ Be cautious: Once moved to the YubiKey, the subkey no longer exists on disk.
More guidance: YubiKey + GPG official instructions
Step 4: Publishing My Public Key
I exported my key in ASCII format so others could import it easily:
gpg --export --armor you@example.com > publickey.ascI uploaded publickey.asc to my website and linked it like this:
<a href="/publickey.asc">🔑 Download my GPG public key</a>Additionally, I displayed my key’s fingerprint on the page so that people can verify its authenticity manually.
Step 5: Email Signing and Encryption
I configured email signing using my GPG key.
For Thunderbird (Linux, OpenBSD, Windows):
- OpenPGP support is built-in.
- I enabled signing for all outgoing mail.
- The key lives on the YubiKey, so no key is stored on disk.
For Mutt / CLI mailers:
- I used `gpg-agent` for passphrase and key handling.
- Configured
.muttrcto sign and/or encrypt automatically.
Signing ensures message authenticity. If recipients have my key, they can encrypt replies.
Step 6: Signing and Encrypting Documents for the Public
To safely share personal certificates and private files, I signed and optionally encrypted them:
# Sign only (adds signature block)
gpg --sign --armor diploma.pdf
# Sign and encrypt with a password (no public key needed)
gpg --symmetric --armor --cipher-algo AES256 diploma.pdfThis way, the document is verifiably mine and only decryptable with the shared password.
The encrypted .asc files can be uploaded to the website, with instructions for downloading and decrypting.
Step 7: Offline Backup of My Master Key
Before moving entirely to the YubiKey, I backed up the master key offline:
gpg --export-secret-keys --armor > masterkey-backup.ascI stored it on an encrypted USB drive with either one:
- LUKS (on Linux)
- OpenBSD softraid(4) encryption
Conclusion
Rolling out GPG was super easy. With my identity cryptographically verifiable, email signing in place, and secure document sharing live on my site, I now have a strong, decentralized identity system.