*`sha256sum -c Qubes-<...>.iso.DIGESTS`: verify hashes match
---
## Secure Key Management 🔒
* You should assume your computer is compromised
* How do we protect the GPG private key?
* Never expose them to an untrusted environment
---
## Basic: On-board generation:
* YubiKey offers generating keys inside of the YubiKey
* Cryptographic attestation keys were never exposed available: https://developers.yubico.com/PGP/Attestation.html
* CON: can't back up the keys
* PRO: simple setup
---
## Advanced - cold / virtualization
* Can use `gpg` / `sq` / `keyfork`
* [Hashbang GPG Guide](https://book.hashbang.sh/docs/security/key-management/gnupg/): helpful guide for GPG - good resource for beginners who want to do the advanced setup
* [openpgp-card-tools](https://codeberg.org/openpgp-card/openpgp-card-tools): great for loading keys onto smart cards
* Can use a variety of smart cards: NitroKey3, SoloKey, Yubikey
* NitroKey and SoloKey are fully open which is great for verifiability - may requires flashing firmware
* [openpgp-card-tools](https://codeberg.org/openpgp-card/openpgp-card-tools) is helpful for loading the card
* Airgapped system (preferred)
* Virtual machine on a hypervisor via hardware virtualization (ok for some threat models)
---
## Backup Trick 🧙
* Generate long lived keys
* Load them onto smart card
* Take plaintext key data and put it in a dir
* Encrypt the dir to your public key
* Delete keys so that only ones that remain are on smart cards (recommended to have at least 2 or 3, for redundancy)
* Smart cards have a "brick" after x attempts feature
---
## SSH Usage
* OpenPGP keys can be used for SSH as well 🪄:
*`gpg --export-ssh-key <email/keyID>`
* Set up shell to use smart card for ssh:
```
# always use smart card for ssh
unset SSH_AGENT_PID
if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then