Frequently Asked Question

What is GPG and what should a sysadmin actually use it for?

GnuPG (GPG) is the free implementation of the OpenPGP standard, originally written to give email users end-to-end encryption but now far more widely used for signing files, packages, and software releases. A GPG key pair lives in ~/.gnupg/ and is created with gpg --full-generate-key. The public half is exported with gpg --armor --export YOUR_ID > key.asc and uploaded to a keyserver or a personal web page; the private half stays put.

A sysadmin's day-to-day uses are practical rather than philosophical. Verifying that a downloaded ISO matches the project's signature (gpg --verify ubuntu.iso.gpg ubuntu.iso) catches mirror tampering before you install. Signing your own outgoing tarballs lets downstream users do the same. Encrypting a secrets.tar before mailing or backing it up keeps the contents readable only by the intended recipient. Signing git tags and commits gives your team a cryptographic record of who authored each change.

Where GPG most often goes wrong in practice is key management: lost private keys, no revocation certificate stored offline, expired keys that nobody updated. Generate a revocation certificate the day you generate the key, store it on paper or USB somewhere safe, set a reasonable expiry (one to two years) and update it routinely, and prefer hardware tokens (Yubikey, Nitrokey) for the master key.