In order to decrypt messages intended for you, or sign things so others know it came from you (like git commits) you'll need a GPG key.

Although you can create a GPG key from the computer you're using to read this, you probably shouldn't. Computers you use to browse the Internet can get malware/viruses, and those can read any file on your computer. It's safest to work with private keys (both GPG keys and cryptocurrency private keys) on another machine that is airgapped.

➡️ Learn how to set up an airgapped computer here ⬅️

<aside> 💡 It is recommended that all work performed on raw private keys is always done on an airgapped machine.

</aside>

About GPG keys and Yubikeys

GPG Keys have 4 capabilities:

• Certification (c)
• Encryption (e)
• Authentication (a)
• Signing (s)

GPG Keys can also have multiple child keys (which each have their own capabilities), and multiple user IDs (a User ID is a pair of "Full Name" and <email address>)

Yubikeys can store 3 GPG keys: one for encryption, authentication, and signing.

New Yubikeys come from the factory with the following default PINs:

• Admin PIN: 12345678
• User PIN: 123456

What we will do

• A GPG key (the parent key) with the certify and sign capabilities
• With 3 child-keys: one each for encryption, authentication, and signing.
• With 1 user ID: your name and email address
• You'll keep a backup of the GPG parent key and the encryption child key so that if you ever lose your Yubikey you can restore the backup on a new Yubikey.