This is The GPG Guide
Most PGP and GnuPG guides were written for a world that no longer exists. They recommend RSA keys, reference the defunct SKS keyserver pool, and ignore the tools that have reshaped the ecosystem since 2020 -- Sequoia PGP, age, Sigstore, FIDO2. Meanwhile, the OpenPGP standard itself has forked into two competing specifications (RFC 9580 and LibrePGP), and GnuPG has released a new stable series. If you're setting up PGP today, the old guides will actively steer you wrong.
The GPG Guide is the comprehensive, opinionated reference that replaces them. It covers the full lifecycle of a modern PGP identity: from generating your first key on an air-gapped machine, through hardware token provisioning and daily use, to maintenance, rotation, and emergency recovery years later. Every command has been tested against GnuPG 2.5.x and Sequoia sq 1.3.1. Where PGP is the wrong tool for the job, this guide says so and points you to what works better.
What's inside
Sixteen parts and six appendices covering:
- Key generation with both GnuPG and Sequoia, including air-gapped setup
- Backup and recovery -- Paperkey, QR codes, encrypted USB, revocation certificates
- Hardware tokens -- YubiKey configuration, touch policies, alternative devices
- SSH authentication -- GPG-agent, FIDO2, and PIV paths compared side by side
- Git commit signing -- GPG and SSH signing, GitHub/GitLab/Codeberg integration, CI/CD verification
- Email encryption -- Thunderbird (and its RNP quirks), Mutt/NeoMutt, Autocrypt, ProtonMail
- Password management with pass, gopass, and passage
- Secrets management -- SOPS, git-crypt, and when to use age instead
- Key distribution -- keyservers, WKD, Keyoxide, decentralized identity proofs
- Web of Trust -- including the Debian Developer path
- Package and container signing -- deb, RPM, release tarballs, cosign
- Maintenance -- expiry renewal, YubiKey replacement, the stub problem, emergency recovery
- Complementary tools -- Sequoia, age, SOP, and when NOT to use PGP at all
Plus appendices with a complete GnuPG config reference, troubleshooting guide, cheat sheet, glossary, and migration guides from older setups.
The approach
The guide is opinionated. Not because there are no other valid choices, but because you have actual work to do, and a clear "just do this" path is more useful than a survey of every option.
Three reader tracks
You don't have to read all 60,000 words. Pick the track that matches your goal:
- Track A -- "I just need Git signing and SSH." Five parts, done in an afternoon.
- Track B -- "Full identity setup with YubiKey." The core path plus whatever workflows you need.
- Track C -- "Debian Developer / high-assurance identity." The whole guide, especially key distribution, Web of Trust, and package signing.
Who this book is for
Software engineers, system administrators, security professionals, and open-source maintainers who need to use PGP in 2026 and want a single reference that's both current and complete. Linux, macOS, and Windows (WSL2) are all first-class platforms throughout; every command includes platform-specific tabs where behavior differs.
About this edition
This is an early access edition. The full content is complete and technically reviewed, but editing and formatting tweaks are ongoing, and updates will continue as the ecosystem evolves. As a Leanpub reader, you receive all future updates at no additional cost.
Affordable options: This book is for everyone. If the price is a barrier for you — you're a student, between jobs, a nonprofit, you're in a country where the price is steep, or just can't swing it right now — email me at tony.gies@crashunited.com and ask for a free copy or name your price. No questions asked, no justification needed. Please allow a couple days for a response. I only humbly request that those with the means to do so please support my work by purchasing it, and if you're especially wealthy, please consider subsidizing free copies for those who need them by paying extra.