Week 3d: Key Management & Modern Alternatives

Goal

Complete your GPG mastery with key lifecycle management (rotation, revocation, backup), practical email encryption, and understanding when to use modern alternatives like age for simpler use cases.

Prerequisites: Week 3c (Key Distribution & Web of Trust)

This is Part 4 of 4 - Covers key management, email encryption, and modern alternatives.

1. Key Management: Rotation, Revocation, and Backup

Extending Key Expiration

Your key expires in 2 years. Before expiration:

# Edit key
gpg --edit-key [email protected]

# At gpg> prompt:
gpg> expire

# Follow prompts to extend expiration
# Select new expiration (e.g., +2y)
# Save changes
gpg> save

Then re-publish:

gpg --keyserver keys.openpgp.org --send-keys ABCD1234

Revoking a Compromised Key

When to revoke:

Private key stolen/compromised
Lost passphrase (can’t use key anymore)
Moving to new key
Email address no longer valid

Using revocation certificate:

# Import revocation certificate (generated during key creation)
gpg --import ~/.gnupg/openpgp-revocs.d/ABCD1234.rev

# Publish revocation
gpg --keyserver keys.openpgp.org --send-keys ABCD1234

Manual revocation:

# Generate revocation certificate
gpg --gen-revoke [email protected] > revocation-cert.asc

# Import it
gpg --import revocation-cert.asc

# Publish
gpg --keyserver keys.openpgp.org --send-keys ABCD1234

After revocation:

Key marked as revoked on keyservers
Others see “Key revoked” warning
Can still decrypt old messages
Cannot create new signatures

Backing Up Your Private Key

CRITICAL: Backup before disaster strikes!

# Export private key (password-protected)
gpg --export-secret-keys --armor [email protected] > alice-private-key.asc

# OPTIONAL: Encrypt the exported key with additional password
gpg --symmetric --armor alice-private-key.asc
# Creates: alice-private-key.asc.gpg

# Securely delete unencrypted export
shred -u alice-private-key.asc

Storage options:

Encrypted USB drive - Keep offline, fireproof safe
Paper backup - Print QR code, store in safe deposit box
Encrypted cloud - ONLY if additionally encrypted, never plaintext

Never:

Email private key to yourself
Store unencrypted in cloud
Leave on shared computer
Store without additional passphrase protection

Restoring from Backup

# Import private key
gpg --import alice-private-key.asc.gpg

# If encrypted, decrypt first:
gpg --decrypt alice-private-key.asc.gpg | gpg --import

2. Practical Email Encryption Setup

Thunderbird + Enigmail (Graphical)

Installation:

# Install Thunderbird
sudo apt install thunderbird

# Enigmail add-on
# (Install from Thunderbird Add-ons menu)

Configuration:

Tools → Add-ons → Search “Enigmail” → Install
Enigmail → Key Management → Generate New Key Pair
OR import existing key: Import → Select private key file
Compose email → Enigmail → Encrypt message

Mutt + GPG (CLI Email Client)

For true command-line cypherpunks:

# Install mutt
sudo apt install mutt

# Configure GPG integration (~/.muttrc)
set pgp_default_key="ABCD1234"
set crypt_use_gpgme=yes
set crypt_autosign=yes
set crypt_replysign=yes
set crypt_replyencrypt=yes
set crypt_replysignencrypted=yes

Usage:

Compose email: m
Encrypt: Press p → e (encrypt)
Sign: Press p → s (sign)
Both: Press p → b (both)

Manual Email Encryption (Any Client)

Compose encrypted message:

# 1. Write email in text file
cat > email.txt <<EOF
To: [email protected]
Subject: Encrypted message

Hey Bob,

This is a secret message.

Best,
Alice
EOF

# 2. Encrypt to recipient
gpg --encrypt --armor --recipient [email protected] email.txt

# 3. Copy contents of email.txt.asc into email body
cat email.txt.asc

Bob decrypts:

# 1. Copy email body to file
cat > encrypted-message.asc

# 2. Paste encrypted message, save (Ctrl+D)

# 3. Decrypt
gpg --decrypt encrypted-message.asc

Pros: Works with any email client Cons: Manual, prone to mistakes

3. Modern Alternatives to GPG

Why Consider Alternatives?

GPG challenges:

Steep learning curve
Complex key management
Easy to make mistakes
Vulnerable to metadata leaks
Large attack surface

Modern tools improve on specific use cases.

age: Simple File Encryption

age (actually good encryption) - Modern, minimal, secure.

Installation:

# Download from: https://github.com/FiloSottile/age
# Or: brew install age
# Or: sudo apt install age

Usage:

# Generate keypair
age-keygen > age-key.txt

# Public key shown in output:
# public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p

# Encrypt file
age --encrypt --recipient age1ql3z... secret.txt > secret.txt.age

# Decrypt file
age --decrypt --identity age-key.txt secret.txt.age

Advantages over GPG:

Simpler (one command for encrypt, one for decrypt)
Modern cryptography (ChaCha20-Poly1305, X25519)
Smaller attack surface
Hard to misuse
SSH key integration (can use existing SSH keys)

Disadvantages:

No email integration (yet)
Less widely adopted
No web of trust
Not for everything GPG does (signatures, certification)

When to use age:

File encryption (backups, personal files)
Encrypting to yourself
Automated scripts
Learning modern crypto

When to use GPG:

Email encryption
Software signing
Web of trust verification
Compatibility with existing ecosystem

signify / minisign: Signature-Only

Lightweight digital signatures without encryption complexity.

minisign usage:

# Install
sudo apt install minisign

# Generate keypair
minisign -G

# Sign file
minisign -S -m software-release.tar.gz

# Verify
minisign -V -m software-release.tar.gz -P <public-key>

Use case: Software releases, where you only need signing (not encryption).

OpenBSD’s signify is similar, used for OpenBSD package signing.

Comparison Table

Tool	Encryption	Signatures	Email	Complexity	Best For
GPG	Yes	Yes	Yes	High	Email, web of trust, compatibility
age	Yes	No	No	Low	File encryption, backups
minisign	No	Yes	No	Low	Software signing
SSH keys	Limited	Git only	No	Medium	Git signing, SSH auth

4. Putting It All Together: Encrypted Workflow

Alice wants to send confidential report to Bob:

# 1. Alice gets Bob's public key
gpg --keyserver keys.openpgp.org --search-keys [email protected]

# 2. Alice verifies fingerprint (phone call with Bob)
gpg --fingerprint [email protected]

# 3. Alice encrypts and signs document
gpg --sign --encrypt --armor \
  --recipient [email protected] \
  --output report.txt.asc \
  report.txt

# 4. Alice emails report.txt.asc to Bob

# 5. Bob receives and decrypts
gpg --decrypt report.txt.asc > report-decrypted.txt

# Output shows:
# - Good signature from Alice
# - File decrypted successfully

What this achieves:

Confidentiality - Only Bob can read
Authentication - Bob knows it’s from Alice
Integrity - Detects any tampering
Non-repudiation - Alice can’t deny sending it

Week 3 Checklist

Understand asymmetric encryption (public/private keypair concept)
Know GPG/PGP history (Phil Zimmermann, cypherpunk tool)
Generate 4096-bit RSA keypair with expiration
Choose strong passphrase (20+ characters)
Back up revocation certificate
Encrypt file to yourself and decrypt
Create ASCII-armored encryption (for email)
Encrypt file for multiple recipients
Sign file with cleartext signature
Create detached signature
Verify signature
Sign and encrypt combined
Export public key
Import someone’s public key
Verify key fingerprint out-of-band
Publish key to keyserver (optional, consider privacy)
Understand web of trust concept
Sign someone’s key (after verification)
Set trust levels
Back up private key (encrypted)
Experiment with age as GPG alternative

Journal & Git Commit

echo "Week 3: Mastered GPG encryption, signatures, web of trust, key management, and modern alternatives (age). Generated 4096-bit keypair, practiced encrypting to multiple recipients, and explored email encryption." >> notes/week03_journal.md

git add .
git commit -S -m "Week 3 - GPG mastery, public-key cryptography, web of trust"

Up Next: Week 4

Encrypted messaging - Signal, Matrix, secure chat protocols
Email privacy - Metadata, headers, email hygiene
Metadata resistance - What encryption doesn’t protect
OpSec for communications - Avoiding common mistakes

The Bridge: Week 3 taught you the crypto tools. Week 4 teaches you how to use them without leaking metadata and destroying your privacy through poor OpSec.

Additional Resources

Further Reading:

The GNU Privacy Handbook - Official GPG guide
Email Self-Defense - FSF email encryption guide
OpenPGP Best Practices

Tools Covered This Week:

gpg - GnuPG (GNU Privacy Guard)
age - Modern alternative for file encryption
minisign - Lightweight signature tool
Thunderbird + Enigmail - Graphical email encryption
Mutt - CLI email client with GPG integration

Key Takeaways

Key lifecycle includes generation, rotation, revocation, and backup
Back up private keys encrypted, stored offline in multiple locations
Revocation certificates should be stored separately and used if key compromised
Email encryption can be graphical (Thunderbird) or CLI (Mutt)
age is simpler than GPG for file encryption without email/signature needs
Choose the right tool based on your use case (GPG for ecosystem, age for simplicity)

Goal#

1. Key Management: Rotation, Revocation, and Backup#

Extending Key Expiration#

Revoking a Compromised Key#

Backing Up Your Private Key#

Restoring from Backup#

2. Practical Email Encryption Setup#

Thunderbird + Enigmail (Graphical)#

Mutt + GPG (CLI Email Client)#

Manual Email Encryption (Any Client)#

3. Modern Alternatives to GPG#

Why Consider Alternatives?#

age: Simple File Encryption#

signify / minisign: Signature-Only#

Comparison Table#

4. Putting It All Together: Encrypted Workflow#

Scenario: Secure Document Sharing#

Week 3 Checklist#

Journal & Git Commit#

Up Next: Week 4#

Additional Resources#

Key Takeaways#