If you care about security and encryption, gpg is very good. It's used by git and the amazon command line sdk whenever something needs to be signed. PGP uses a system of public/private key, the same used for TLS/SSL.
Quick intro about GPG
Using gpg encryption, you can guarantee the authenticity and the identity of the author of a document. How does that work? You create two keys, a private key used for signing and decrypting document and a public key to encrypt document. As the name suggest, the public key is known for everyone who wants it. Using my public key, anyone can encrypt a document, and the result can only be decrypted by me, with my private key.
One important concept of GPG is the web of trust. If you trust me, you can sign my public key with you private key. It means that you trust that this public key effectively belongs to me, and you add your personal signature on it. It works like a recommendation letter with your signature at the bottom.
GPG also allow for revocation of keys. Usually, one does not directly use it's private key to sign document but uses a subkey. In this scenario, if the subkey becomes compromised (someone guessed your passphrase for example), it can be marked as revoked, and a new one can be generated. This process preserve all the trust given by others. Also the master key should be kept very secured (on a separate flashdrive for example), it is often impractical to use it all the time. That's one more reason to use subkeys. If the master key become comprosided, there is no way but to start the chain of trust from scratch.
Below I'll detail a full setup to:
- Create a master key with an expiration date
- Create a subkey with a shorter expiration date.
- Create a revocation certificate for the master key and the subkey.
- Upload the public key to a keyserver
- Extract the master key to a separate device
A lot of this post is coming from pgp best practices.
Improving default config
To make sure gpg is not using unsafe algorithms and settings, add the following snippet to