GPG Quick Start
Generate keys, sign and encrypt messages, verify firmware downloads, and publish your public key.
What GPG Does for LA-Mesh
- Verify GPG signatures on email bridge messages
- Sign and encrypt arbitrary messages for specific recipients over insecure channels
- Verify downloaded firmware and TAILS ISO integrity
Generate a Key Pair (Ed25519)
# Generate Ed25519 signing key + cv25519 encryption subkey gpg --quick-gen-key "Your Name <you@example.com>" ed25519 cert 0 # Add encryption subkey gpg --quick-add-key $(gpg -k --with-colons you@example.com | \ grep fpr | head -1 | cut -d: -f10) cv25519 encr 0
Ed25519 keys are shorter, faster, and more secure than RSA-4096 for modern use.
Publish Your Public Key
# Upload to keyserver gpg --keyserver hkps://keys.openpgp.org --send-keys <KEY-ID> # Export for in-person exchange via QR code gpg --export <KEY-ID> | qrencode -o pubkey-qr.png
Keyserver: keys.openpgp.org
Sign and Encrypt
# Clearsign a message (readable + signature) gpg --clearsign message.txt # Encrypt for a specific recipient gpg --encrypt --armor --recipient recipient@example.com message.txt # Verify a signature gpg --verify message.txt.asc
Verify Downloaded Files
# Verify firmware release signature gpg --verify firmware-2.7.15.zip.sig firmware-2.7.15.zip # Verify TAILS ISO gpg --verify tails-amd64-7.4.2.iso.sig tails-amd64-7.4.2.iso
Client Setup
| Platform | Client | Notes |
|---|---|---|
| Thunderbird | Built-in OpenPGP | No Enigmail needed (Thunderbird 78+) |
| TAILS | Kleopatra (built-in) | GUI key manager included in TAILS |
| Linux CLI | gpg | Installed by default on most distributions |
| macOS | GPG Suite | Integrates with Apple Mail |