Giving up on PGP (Kinda)

Yesterday I read a short piece on PGP from ArsTechnica’s Filippo Alsorda entitled “I’m throwing in the towel on PGP". It’s a great piece on the fact that PGP is still the pinnacle of security, but it’s just failed on everything around use-case and integration. Like him, I use PostBox for email, with EnigMail. I’ve maintained a set of keys for several years, regularly expiring and recreating them, but the only signed email I ever got was an annual notice from validating my domain.

Even doing everything half-right (I never did key-signing parties and all that), it still was mostly “security theater". The keys sat on my laptop hard drive, and I had no way to access them from my phone or tablet. Every time I wanted to expire my key or adjust the expiration to push it out another year, I had to resort to arcane gpg command lines cut-and-paste from StackOverflow. Odds are, I fubar’ed it more than once and I’m nowhere as secure as I thought.

So in short, I’m giving up on it. I’ll keep things enabled for a while, but I’m not going to bother maintaining it like I have. Instead, we have better tools these days. I’ve setup Signal for encrypted instant messaging, and setup a ProtonMail account for email.

So, if you want to reach me via an encrypted channel.. Reach out to me normally (Facebook, twitter DM, email, etc) and I’ll share the details.

comments powered by Disqus