YAHR Matey

Companion documentation for Yet Another Homelab Repo

How To: GPG + SSH Keys for the Homelab

| Source

Security

Fundamental and even more important nowadays.

We'll be using the *25519 algorithm(s) to create these kinds of secure keys:

You can use these patterns for each email + host/device combo you want.


GPG

Uses:

  • Certifying
  • Signing
  • Encrypting
  • Authentication

I mostly use user-related GPG keys for signing my git commits, my Tombs, pass-tombs, and my Passwords.

You'll want them password-protected so be sure to have some sort of password manager to store their very strong passwords.

Remember that you may have to fallback to manual entry for the password.

Create and view a GPG key:

 gpg --quick-generate-key "identity <identity@email.com>" ed25519 cert 0

# View ID of generated key gpg --list-secret-keys --keyid-format long

You should see something similar to this test key:

 gpg --list-secret-keys --keyid-format long
[keyboxd]
---------
sec   ed25519/A08C3F04627E4549 2026-04-12 [C]
      D71F7DB16357786262FEB590A08C3F04627E4549
uid                 [ultimate] identity <identity@email.com>

We'll create Subkeys next that each have their own Use listed above.

# Subkey for Signing gpg --quick-add-key D71F7DB16357786262FEB590A08C3F04627E4549 ed25519 sign 0

# Subkey for Encryption
# NOTE: this one uses **cv**25519 gpg --quick-add-key D71F7DB16357786262FEB590A08C3F04627E4549 cv25519 encr 0

# Subkey for Authentication gpg --quick-add-key D71F7DB16357786262FEB590A08C3F04627E4549 ed25519 auth 0

You should now see multiple entries for that new key:

 gpg --list-secret-keys --keyid-format long
[keyboxd]
---------
sec   ed25519/A08C3F04627E4549 2026-04-12 [C]
      D71F7DB16357786262FEB590A08C3F04627E4549
uid                 [ultimate] identity <identity@email.com>
ssb   ed25519/2C6FFA17AC312744 2026-04-12 [S]
ssb   cv25519/694D71779DE77387 2026-04-12 [E]
ssb   ed25519/3DDD6F8BE5B76371 2026-04-12 [A]

You can find out how to backup/restore and export/import keys in these articles, respectively:


SSH

Most people should be familiar with these on their end-devices, but I still see a lot of RSA in examples.

We're going to use ed25519:

# Create the password-protected root keypair ssh-keygen -t ed25519 -C identity@email.com -f ~/.ssh/root

Summary

We'll use these throughout future posts.

If you plan on using these in your homelab, be sure to keep the passwords and keys in your password manager, and back them up to a thumbdrive and lock the thumbdrive away.

You did it, yay!