Wrote up a quick thing about using Keyoxide and thought to share it here since I haven’t posted in awhile. lol
Doesn’t look like there’s a link in the post, you may have missed it?
I screwed that up. Still wrapping my head around Lemmy again. I edited to add a link and here is one too
Thanks!
Of course!
I’m not really up on this field, so I’ve never heard of Keyoxide. Did a quick scan of your article, and a couple things popped into my head.
-
How old is this article? It references Twitter without so much as a wink to the rename.
-
I was under the impression PGP keys were no longer considered good security because the keys are static - i.e. they never change, which is why authenticator apps that change codes every minute have been all the rage for many years now.
Hey there! PGP keys are still good and used by a lot due to they support the Elliptical Curve encryption and are still the backbone of Linux’s repositories for verifying the authenticity of the debian link you’re adding. In regards to your Twitter naming question, it’s my own personal choice but I plan to deadname Twitter until Space Karen stops deadnaming his daughter.
Here’s an article about PGP in 2025 in case you’re interested!
never change
Nah, that’s not a problem.
So, if you send a password at some point, someone could theoretically intercept and get the password, and then impersonate you.
PGP keys are public-private. The key never leaves your possession. Instead, the other side asks you to cryptographically sign something using your private key, which they can validate using your public key.
You never expose your private key to any intermediary, and even the other side doesn’t have it.
TOTPs have a shared secret, and generate a temporary passphrase using both time and the secret. Those also protect (mostly) against interception, since the OTP becomes invalid within probably seconds. Just as with PGP keys, the secret does not change. However, unlike PGP, the other side does also have all the information required to authenticate as you.
PGP keys gain trust the longer they’re used. But the likely-hood that they’ve been compromised also increases with time. I wouldn’t say they get “less secure” with time. Also, you can very easily create a new identity under the same PGP key, and revoke a previous identity. Additionally, you can certify other’s keys by signing it with your own, increasing the WOT (web of trust) with the key–asserting that the key does in fact belong to the correct person.
The keys are a bit more dynamic than you’re giving them credit for.
There’s also F/OSS which has been designed to alleviate some of the usability issues with PGP keys, mainly Keybase.
-
