Introduction

OpenPGP

OpenPGP is a cryptography technology that is used to encrypt and then decrypt information or securely sign information and then verify those signatures. It does this with OpenPGP keys that anyone can generate and use. These keys come in two parts: a private part that you keep secret and use to sign data and to decrypt any encrypted data sent to you; and a public part that you distribute, which is used by anyone else to verify your signature and to encrypt any data they want to send to you.

Unlike other crypto technologies OpenPGP keys do not require you to send them to anyone to activate them or mark them as genuine – once you have created a key you can use it immediately.

You can assign any number of names and email address (or other identifiers) to a key, but the technology does not check that these are your names or email addresses. Instead you ask other people who know that the name and email address is yours, to sign your key with theirs. The more people that sign your key the greater the implied trust that you are who you say you are (by virtue of your email addresses).

Most people who sign someone else's key, take considerable care to ensure that the person is who they say they are. Further details are in Signing Someone's Key.

As more people sign each others' keys this builds up a web of trust that makes it difficult for people to masquerade as others. It also makes it easier to know whether or not to trust a signature even if you have not met the person who made it. For example if I receive a signed message from person A, who I do not know, but I see that their key has been signed by people B, C and D then there is a reasonable probability that they are who they claim to be.

GPG Best Practices

We reccommend following the Riseup GPG best practices, this document includes information on how to set up your GPG key(s) and how to properly interact with GPG keyservers.

KeyServers

A keyserver is where people publish their public keys to make them available to the rest of the world. The servers then provide various search facilities for people to find the right keys.

Many keyservers synchronise with a number of others, which builds up a large global network of OpenPGP keyservers. If you publish your key to one of these servers then it will normally replicate to all others in the global network within a few days. However not all keyservers synchronise with others and so if you especially want your key on one of those then you need to publish it directly to it.

See Using This KeyServer for more information.