
An Advanced Intro to GnuPG - sr2
https://begriffs.com/posts/2016-11-05-advanced-intro-gnupg.html
======
amingilani
I still don't understand the state of hardware tokens. Everyone hates Yubikey,
but the closest alternative available is Nitrokey which doesn't even come
close to the form factor, or support U2F in their most expensive key option.

Now I learn there's something called GnuK but Google leads me to an obscure
doc on building it yourself.

Until there are better options out there, I guess I'll stick to my Yubikey NEO

~~~
travisby
After going back and forth on whether I wanted a Yubikey, I finally decided I
didn't want to support them due to the closed sourceness.

I bought an Open PGP Card instead!
[https://www.g10code.com/p-card.html](https://www.g10code.com/p-card.html)

You still have to buy your own card reader, and any card readers on the market
aren't as small as the Yubikey... but it's a fantastic device and I love mine
to death.

Note: the yubikey actually uses the open pgp card inside of it (which the
actual implementation from the chip supplier is hardware-closed-source,
although the reference architecture is open). The nitrokey too. They
technically all have closed source with the BasicCard that runs inside them!
With that in mind the secret-sauce of the yubikey is also closed source, where
there's no secret sauce around your OpenPGP Card to be closed source.

~~~
simias
That's sound advice but I'd like to point out that this Open PGP card appears
to only support 2048bit keys while some (but not all!) yubikeys and nitrokeys
support 4096bit.

I suppose nowadays 2048bit is more than enough but I like the extra safety and
"future-proofness" of a 4096bit key.

~~~
travisby
I'm definitely with you, and don't advocate for 2048 bit keys anymore. That
being said...

The older versions of the card only supported 2048bit keys. The 2.0 version
and above support 4096 :)

I personally generated my RSA4096bit key on the card!

------
ghostDancer
GnuPG Fundraising Rally [https://gnupg.org/donate/](https://gnupg.org/donate/)

------
confounded
GPG is still incredibly useful for me, if only for SSH keys on a YubiKey smart
card. I need to get better at code signing on FOSS projects.

~~~
adisbladis
Actually it's very easy if you use git, just 2 lines of config.

    
    
      git config --global user.signingkey <your_pub_here>
      git config --global commit.gpgsign true

~~~
brians
That's not the hard part. The hard part is getting keys moved around, expiry
updated, subkeys handled—maybe having one key on the Yubikey helps with this,
but I think sublet expiration is still going to be a problem.

~~~
confounded
Yup. By signing releases / commits with a particular key you're committing to
maintaining possession and security of the key over the long term. For someone
that loses their house key about 3 times a year, this is a big deal!

------
LordKano
I'd like to see more of this covered in beginning legal CS and IS education.

------
Xophmeister
Is GPGME, mentioned in this video, now libgcrypt, or is that something
different?

------
0xADADA
I thought GnuPG was so last year?

