## Security Fundamental and even more important nowadays. We'll be using the [\*25519][25519] algorithm(s) to create these kinds of secure keys: - [GPG] - [SSH] You can use these patterns for each email + host/device combo you want.

## GPG **Uses:** - Certifying - Signing - Encrypting - Authentication I mostly use user-related GPG keys for [signing my git commits][my-git-commits], my [Tomb]s, [pass-tomb]s, and my [Password][pass]s. You'll want them password-protected so be sure to have some sort of password manager to store their very strong passwords. Remember that you may have to fallback to manual entry for the password. Create and view a GPG key: ```bash ❯ gpg --quick-generate-key "identity " ed25519 cert 0 # View ID of generated key ❯ gpg --list-secret-keys --keyid-format long ``` You should see something similar to this ***test key***: ```bash ❯ gpg --list-secret-keys --keyid-format long [keyboxd] --------- sec ed25519/A08C3F04627E4549 2026-04-12 [C] D71F7DB16357786262FEB590A08C3F04627E4549 uid [ultimate] identity ``` We'll create [Subkeys][gpg-subkeys] next that each have their own **Use** listed above. ```bash # Subkey for Signing ❯ gpg --quick-add-key D71F7DB16357786262FEB590A08C3F04627E4549 ed25519 sign 0 # Subkey for Encryption # NOTE: this one uses **cv**25519 ❯ gpg --quick-add-key D71F7DB16357786262FEB590A08C3F04627E4549 cv25519 encr 0 # Subkey for Authentication ❯ gpg --quick-add-key D71F7DB16357786262FEB590A08C3F04627E4549 ed25519 auth 0 ``` You should now see multiple entries for that new key: ```bash ❯ gpg --list-secret-keys --keyid-format long [keyboxd] --------- sec ed25519/A08C3F04627E4549 2026-04-12 [C] D71F7DB16357786262FEB590A08C3F04627E4549 uid [ultimate] identity ssb ed25519/2C6FFA17AC312744 2026-04-12 [S] ssb cv25519/694D71779DE77387 2026-04-12 [E] ssb ed25519/3DDD6F8BE5B76371 2026-04-12 [A] ``` You can find out how to backup/restore and export/import keys in these articles, respectively: - [https://www.howtogeek.com/816878/how-to-back-up-and-restore-gpg-keys-on-linux/](https://www.howtogeek.com/816878/how-to-back-up-and-restore-gpg-keys-on-linux/) - [https://www.gnupg.org/gph/en/manual/x56.html](https://www.gnupg.org/gph/en/manual/x56.html)
## SSH Most people should be familiar with these on their end-devices, but I still see a lot of RSA in examples. We're going to use `ed25519`: ```bash # Create the password-protected root keypair ❯ ssh-keygen -t ed25519 -C identity@email.com -f ~/.ssh/root ``` ## Summary We'll use these throughout future posts. If you plan on using these in your homelab, be sure to keep the passwords and keys in your password manager, and **back them up to a thumbdrive and lock the thumbdrive away**. You did it, yay!
[25519]: https://security.stackexchange.com/questions/50878/ecdsa-vs-ecdh-vs-ed25519-vs-curve25519 [gpg]: https://gnupg.org/index.html [gpg-subkeys]: https://rgoulter.com/blog/posts/programming/2022-06-10-a-visual-explanation-of-gpg-subkeys.html [my-git-commits]: https://codeberg.org/spont/yahr/commit/90d7e435cb419fbd15d5b21300fdeaf5daec9fc87ca10d708496438cb878c65f [pass]: https://www.passwordstore.org/ [pass-tomb]: https://github.com/roddhjav/pass-tomb [ssh]: https://en.wikipedia.org/wiki/Secure_Shell#Definition [tomb]: https://dyne.org/docs/tomb/#get-started