I have been using PGP for many years. At first it was just something cool to play with, however I've been building mail servers and computer networks for many years- I know first-hand, exactly how easy it is for ISPs, "hackers", corporations, and governments to read other peoples' email.
And since there is no realistic way to prevent this from happening, it only makes sense to encrypt my emails whenever possible, so that even if they do happen to look at my message (out of the billions of emails which cross the internet every day) they won't be able to read it.
If you ever need to send me email, even if it's not something which needs to be private, I encourage you to encrypt it using one of the "Current keys" listed below, just on principle.
This is the key I use for personal stuff. It is attached to my Keybase account.
pub rsa4096/0xA7EC1FBAB3B50007 2017-11-27 [SC] [expires: 2023-01-01]
uid [ultimate] John Simpson
This is the key I use for things related to my "day job".
pub rsa4096/0x4630606F0B2F31A6 2019-03-21 [SC] [expires: 2023-01-01]
uid [ unknown] John Simpson
This key has not been revoked, but I plan on doing so at some point. The key shown above has been signed by this one.
pub rsa4096/0x6B2EDC90B5C6DC30 2017-05-27 [SC] 6353320118E1DEA2F38EAE806B2EDC90B5C6DC30 uid [ultimate] John M. Simpson <firstname.lastname@example.org> uid [ultimate] John M. Simpson <email@example.com> sub rsa4096/0x297E5961AB566594 2017-05-27 [E]
This key has not been revoked, but its original expiration date was 2011-08-03. I have updated it to not expire, but not everybody got the update, and some people consider it expired. In the interest of avoiding confusion, and because I wanted a longer key, I have stopped using this key and now use the one above instead.
pub dsa1024/0x8F8D8C9A9014AD1A 2008-08-03 [SC] 5AA49FD4D245733518C2F3D98F8D8C9A9014AD1A uid [ultimate] John M. Simpson <firstname.lastname@example.org> uid [ultimate] John Simpson <email@example.com> uid [ultimate] John Simpson <firstname.lastname@example.org> uid [ultimate] [jpeg image of size 5148] uid [ultimate] John Simpson <email@example.com> sub elg4096/0xC6655C940F6C5215 2008-08-03 [E]
This was the first key I generated "for real", with the intention of sharing it with the world and using it on a regular basis. I haven't used this one since 1999-2000, and in fact I have forgotten the passphrase for its secret key, so I can't create a revocation certificate for it. Please don't use this key anymore.
pub 1024R/2FB5EDA9 1996-04-06 John Simpson <firstname.lastname@example.org> Key fingerprint = 8F EA B0 95 6C C4 02 F8 11 1D BE 62 48 09 05 52 uid John Simpson <email@example.com> uid John Simpson <firstname.lastname@example.org>
These are old keys which I have decided I will never use again. If you happen to have one of them in your keyring, please add the revocation certificates as well, so that your PGP client won't try to use them by accident.
Revoked 2008-08-04 pub 1024D/3306FCFB 2002-02-27 John Simpson <email@example.com> Key fingerprint = 3E71 7105 6DE0 EFA1 00B5 B12D 101F 5173 3306 FCFB uid [image of size 4420] uid John Simpson <firstname.lastname@example.org> sub 4096g/71CF8D66 2002-02-27
Revoked 2008-08-04 pub 1024D/9EDD51D9 1998-01-05 John Simpson <email@example.com> Key fingerprint = 47EC DE79 2527 83E9 08DB 7E75 708D 7E9E 9EDD 51D9 uid John Simpson <firstname.lastname@example.org> uid Thawte Freemail Member <email@example.com> uid [image of size 4420] uid John Simpson <firstname.lastname@example.org> sub 2048g/8C0A413C 1998-01-05
My current PGP keys are physically stored on YubiKeys. (I do have backups of the secret keys, securely stored in multiple locations.) The YubiKey stores the secret keys in a "secure element", similar to the secure elements where newer phones and computers store things like credit card numbers and biometrics (face prints, fingerprints, etc.) Keys can be uploaded into the YubiKey, but there is no way to download keys out of the YubiKey.
Without going into a bunch of technical detail, all of my "current" PGP keys have separate signing sub-keys. The YubiKeys have the secret keys for these sub-keys, and specifically do NOT contain the secret key for the primary. This means that, using the YubiKeys, I am able to do everything except the following operations, which can only be done using the primary key:
Signing other PGP keys
Changing the expire dates of "this" PGP key
Since I generally "extend" each key for one year at a time, this means that once a year I have to boot up Tails without connecting it to any network, read in a backup with the actual secret keys, and run commands like this for each PGP key (using "BDC84CA878FD827A4C0BB361A7EC1FBAB3B50007" as the key ID) ...
gpg --quick-set-expire BDC84CA878FD827A4C0BB361A7EC1FBAB3B50007 2023-01-01
This sets a new expire date for the primary key.
gpg --quick-set-expire BDC84CA878FD827A4C0BB361A7EC1FBAB3B50007 2023-01-01 '*'
This sets a new expire date for all of the sub-keys. (I couldn't find a single command which sets the expire dates on the primary and sub-keys at the same time.)
gpg -a --export BDC84CA878FD827A4C0BB361A7EC1FBAB3B50007 > BDC84CA878FD827A4C0BB361A7EC1FBAB3B50007.pub.asc
This exports a copy of the public key, which will contain the new signature setting the expire date.
After doing this for each key, I copy all of the xxx.pub.asc files to a "normal" USB stick, and shut down Tails. Note that I don't need to update the backups - the secret keys for the primary and sub-keys don't change (unless I generate new ones on purpose), and the certifications which set the new expire date are contained within the "xxx.pub.asc" files.
Then, on any computer which has these keys in its keyring, I "import" the new "xxx.pub.asc" files using a command like this...
gpg --import BDC84CA878FD827A4C0BB361A7EC1FBAB3B50007.pub.asc
Assuming the keyring already has an older version of this key, this will update the key's expiration date within that keyring, making it "valid" for another year. And if it didn't have any other version of the key, this will add it, with the new expiration date.
I also upload copies of the "xxx.pub.asc" files to my web server, so they're downloadable using the links near the top of this page. 😁