Frequently Asked Question

What is public-key cryptography and why does every sysadmin need to understand it?

Public-key (asymmetric) cryptography uses a pair of mathematically linked keys: one published freely, one kept secret. The system has two complementary properties. Anything encrypted with the public key can be decrypted only by the private key (confidentiality), and anything signed with the private key can be verified by anyone holding the public key (authenticity and integrity). Modern implementations use RSA, ECDSA, or Ed25519 keys, with RSA at 3072+ bits or Ed25519 the current sensible defaults.

Almost every protection on a Linux system relies on this primitive. SSH host keys prove the server is the one you connected to last time. TLS certificates let your browser confirm it really is talking to the bank. Package signatures convince apt and dnf that the binaries came from Debian or Fedora and not a hostile mirror. Git commit signing lets reviewers verify who wrote the code. Disk-encryption recovery keys, mail signing with GPG, code signing for the kernel modules you load, all rely on the same trick.

For a sysadmin the practical knowledge is: keep private keys on the smallest number of machines (ideally just one, in a hardware token or an encrypted home directory), never email them, distribute public keys freely, and treat key-rotation as a routine operation rather than an emergency.