Also updated my work OpenPGP/GPG keys to ECC.
I've had GPG keys since 1998.
One day, I will get an encrypted message...
One day...
Also updated my work OpenPGP/GPG keys to ECC.
I've had GPG keys since 1998.
One day, I will get an encrypted message...
One day...
Retiring the RSA-version of my OpenPGP/GnuPG key, to be replaced by ECC. Just need to do some CLI trimming on my keyring. :)
@eibart Für solche Usecases nutze ich @nextcloud - beim Selfhosting weiß man auch, wo die Daten sind.
Bei Services wie eben z.B. WeTransfer die Daten *immer* verschlüsseln. #GnuPG ist dafür gut geeignet. Dann lernt deren KI eben PGP verschlüsselte Daten.
New blog article: "Using a second #OpenPGP card for my primary key"
https://openpgp.foo/posts/2025-07-a-second-card/
This is a rather niche article, but I hope it will still contain some bits of interest, for at least some readers .
In it, I import my primary OpenPGP key onto a second OpenPGP card hardware device, and use the device to issue a third-party certification with rsop-oct.
I also outline some background and tradeoffs around different OpenPGP card setup.
I just released version 0.1.3 of rsop-oct, a stateless #OpenPGP ("SOP") CLI tool for use with OpenPGP card hardware devices:
https://crates.io/crates/rsop-oct/
Like its sibling project #rsop, rsop-oct is based on @rpgp
This update adds support for the SOP command 'certify-userid'.
This allows issuing certifications (aka "third-party signatures") over identities in other people's OpenPGP certificates, directly with an OpenPGP card device.
For more on #SOP, see https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/
Wollte grad (nach Jahren) mal wieder ne #PGP-Verschlüsselung für meine Mails einrichten. Nun hat #Thunderbird ja inzwischen #GNUPG und das sieht ja auch alles ganz toll aus, aber was mich als alter #Enigmail User irritiert, ist das Ding mit der (fehlenden) Passphrase. Also wie ich das verstehe wird die ja (für alle Mailaccounts!?) ersetzt durch das Thunderbird-Masterpasswort. So weit so naja... Aber würde die Mails auch weiterhin gern auffm Handy abrufen (#K9). Da gibts dann n Addon, soweit hab ich das schon gesehen, aber ist dann das Masterpasswort auch da meine Passphrase? Danke schonmal für Tipps...
Oh and with #encryption I mean the gritty #DIY stuff. So don’t rely on the encrypted backup option baked in your favorite app or (mobile) OS.
If you don’t own it, you are being owned.
#GPG (or #GnuPG) using elliptic curve factorization is your friend!
In the (hopefully near) future post-quantum encryption #pqe will be available in some form. Although this tech was anticipated to arrive years ago… so what’s keeping it.
CW Element Matrix Encryption
I just learned that when encrypting email with PGP, the subject line of the email is NOT encrypted. Two things about this fascinate me:
- what a glaring oversight. How did anyone ever think that not encrypting the subject line was a good idea
- why is this not more commonly known? i feel like every guide how to use PGP for email should be screaming from the rooftops: "TAKE NOTE THAT THE SUBJECT LINE OF YOUR EMAILS IS NOT ENCRYPTED". Instead, I just found it deep in the details of one such guide. Many guides (yes I checked several) don't include this information at all.
I'm trying to use #GnuPG and it's so bad that I just have to rant about it. I usually try not to rant because it isn't constructive but I have to let it out.
First try, the default method to generate keys fails, because some mysterious gnupg agent isn't running. Googling. Okay gotta start this agent. Ah, agent starting fails because some config option in the .gnupg folder is wrong. Manually delete the .gnupg folder. Ok now the agent seems to start but creating keys still fails "no such file or directory". Manually creating the .gnupg folder. Now it fails again. Figure out that now the gnupg agent is unhappy. Restart agent. Finally manage to create keys. Try to import my key to thunderbird, but how many keys are there in my private key folder? 2! Why? Who the hell knows.
I just released version 0.7.1 of #rsop, a stateless #OpenPGP ("SOP") CLI tool based on @rpgp:
https://crates.io/crates/rsop/
This version adds support for the "merge-certs" SOP command, which consolidates multiple versions of a certificate into a unified aggregate view.
For more on #SOP, see https://datatracker.ietf.org/doc/draft-dkg-openpgp-stateless-cli/
#GnuPG v2.5.8 is for those that are using 2.5.7 - as it fixes a regression and improves on little things.
(2.5.x is a "public testing release series" and comes with a post-quantum cryptography encryption algorithm.)
gpg -v --auto-key-locate=clear,wkd,nodefault --locate-key postfach@domain.tldQuelle: ( siehe https://wiki.gnupg.org/WKS )
@stefan @fasnix @Tutanota @mailbox_org @delta @lennybacon
Aber mal ganz abgesehen,... wir sprechen bei #OpenPGP ( #GnuPG ) von einem offenen Standard und Freier Software.
Ist mit GnuPG in Klammern LibrePGP gemeint? Ich wusste nicht, dass das offen für Beiträge Dritter ist
@ber @fasnix @Tutanota @mailbox_org @delta @lennybacon
#OpenPGP darf nicht verschwinden. Ich werde aber zu #SequoiaPGP wechseln, sobald es von Haus aus Smartcards unterstützt.
Bei #GnuPG fühle ich mich nach LibrePGP&RFC9580 nicht mehr wohl.
Auch mag ich das Vorgehen vom GnuPGP bzgl. DANE nicht. Denn es wurde eine RFC (auch wenn es experimentell ist) nicht komplett umsetzt. Dann soll man erst garnicht mit der Implementierung von DANE in GnuPG anfangen oder zumindest die Implementierung in der Manpage als unvollständig hervorheben:
The DNS answer MUST pass DNSSEC validation; if DNSSEC validation reaches any state other than "Secure" (as specified in [RFC4035]), the DNSSEC validation MUST be treated as a failure.
Quelle: https://datatracker.ietf.org/doc/html/rfc7929#section-5
Sequoia PGP hat zumindest DANE nicht halbgar implementiert:
https://gitlab.com/sequoia-pgp/sequoia/-/blob/0b60b92482f3ea183385a9cf4751a1aca46457ea/net/src/dane.rs#L52-53