OpenPGP provides cryptographic identity verification that doesn’t depend on centralized authorities. Your key pair—a private key you control and a public key you share—lets you sign messages, encrypt communications, and prove your identity across platforms.
Keyoxide extends this by creating verifiable links between your OpenPGP key and your online accounts. Anyone can verify that the same person controls your PGP key, your Bluesky account, your domain, and your other identities—without trusting a central service.
This guide covers generating modern OpenPGP keys, publishing them for discovery, and creating Keyoxide identity proofs.
Why This Matters
Traditional identity verification online is fragmented. You might have accounts on dozens of services, but nothing cryptographically links them. If someone impersonates you on a new platform, there’s no way to prove it’s not you.
Keyoxide solves this by letting you add signed claims to your OpenPGP key: “I control this Bluesky account,” “I control this domain,” etc. Anyone can verify these claims using your public key. No central authority required.
Generating a Modern OpenPGP Key
Modern best practice uses Curve25519 for encryption and Ed25519 for signing—these elliptic curve algorithms offer strong security with smaller keys and faster operations than RSA.
Using GPG
Generate a new key:
gpg --quick-generate-key "Your Name <your@email.com>" ed25519 cert neverThis creates a certification-only primary key using Ed25519. Now add subkeys for signing and encryption:
# Get your key fingerprint
gpg --list-keys --keyid-format long your@email.com
# Add signing subkey (Ed25519)
gpg --quick-add-key YOUR_FINGERPRINT ed25519 sign 2y
# Add encryption subkey (Curve25519)
gpg --quick-add-key YOUR_FINGERPRINT cv25519 encr 2yThe 2y sets a two-year expiration on subkeys. You can extend this later, but expiration dates encourage key hygiene and limit damage from compromised keys.
Viewing Your Key
List your keys:
gpg --list-keys --keyid-format long your@email.comOutput shows:
pub ed25519/0x1234567890ABCDEF 2026-02-03 [C]
Key fingerprint = ABCD 1234 5678 90AB CDEF 1234 5678 90AB CDEF 1234
uid [ultimate] Your Name <your@email.com>
sub ed25519/0xFEDCBA0987654321 2026-02-03 [S] [expires: 2028-02-03]
sub cv25519/0x1111222233334444 2026-02-03 [E] [expires: 2028-02-03]
The fingerprint (the long hex string) is your key’s unique identifier.
Publishing Your Key
For others to verify your signatures and send you encrypted messages, they need your public key.
Key Servers
Upload to the keys.openpgp.org server (the modern, privacy-respecting option):
gpg --keyserver keys.openpgp.org --send-keys YOUR_FINGERPRINTThis server requires email verification before publishing your email address, preventing spam.
Web Key Directory (WKD)
If you control a domain, you can serve your key directly. Create the file:
gpg --export your@yourdomain.com > pubkey.ascHost it at:
https://yourdomain.com/.well-known/openpgpkey/hu/[hash-of-local-part]
The hash calculation is specific—use gpg-wks-client or online WKD generators to compute it correctly.
DNS (OPENPGPKEY Record)
You can also publish your key as a DNS record:
# Generate the DNS record content
gpg --export your@yourdomain.com | base64 | tr -d '\n'Add an OPENPGPKEY record at [hash]._openpgpkey.yourdomain.com with the base64 content.
This requires DNSSEC for security.
Keyoxide Identity Proofs
Keyoxide proofs link your PGP key to accounts on other platforms. The mechanism is elegant:
- You add a signed notation to your PGP key claiming “I control account X”
- On platform X, you publish your key fingerprint in a discoverable location
- Anyone can verify both directions: the claim in your key and the proof on the platform
Adding Proof Notations
Proofs use the Ariadne notation format:
gpg --edit-key YOUR_FINGERPRINTAt the gpg> prompt:
notation
Enter the notation:
proof@ariadne.id=https://bsky.app/profile/yourhandle.bsky.social
Save and quit:
save
Proof Format Reference
Different platforms require different notation formats:
Bluesky:
proof@ariadne.id=https://bsky.app/profile/yourhandle.bsky.social
Then add your fingerprint to your Bluesky profile bio.
Domain (DNS):
proof@ariadne.id=dns:yourdomain.com?type=TXT
Add a TXT record to your domain:
openpgp4fpr:YOUR_FINGERPRINT_NO_SPACES
Mastodon/Fediverse:
proof@ariadne.id=https://mastodon.social/@yourhandle
Add your fingerprint to a profile field.
GitHub:
proof@ariadne.id=https://gist.github.com/yourusername/gist-id
Create a gist containing your fingerprint.
Hacker News:
proof@ariadne.id=https://news.ycombinator.com/user?id=yourusername
Add your fingerprint to your HN profile “about” section.
Twitter/X:
proof@ariadne.id=https://twitter.com/yourhandle
Include your fingerprint in your bio.
Multiple Proofs
Add as many proofs as you want:
gpg --edit-key YOUR_FINGERPRINT
gpg> notation
Enter the notation: proof@ariadne.id=https://bsky.app/profile/you.bsky.social
gpg> notation
Enter the notation: proof@ariadne.id=dns:yourdomain.com?type=TXT
gpg> notation
Enter the notation: proof@ariadne.id=https://github.com/yourusername
gpg> saveRe-uploading After Changes
After adding notations, re-upload your key:
gpg --keyserver keys.openpgp.org --send-keys YOUR_FINGERPRINTViewing Proofs on Keyoxide
Visit https://keyoxide.org/YOUR_FINGERPRINT to see your identity with all verified proofs.
Alternatively, search by email: https://keyoxide.org/your@email.com
Keyoxide fetches your key from key servers, reads the proof notations, and attempts to verify each claim by checking the linked platforms. Green checkmarks indicate verified proofs.
Managing Your Key Over Time
Extending Expiration
Before your subkeys expire, extend them:
gpg --edit-key YOUR_FINGERPRINT
gpg> key 1 # Select first subkey
gpg> expire
# Enter new expiration
gpg> key 2 # Select second subkey
gpg> expire
# Enter new expiration
gpg> saveThen re-upload your key.
Revoking Compromised Keys
If your key is compromised, generate a revocation certificate:
gpg --gen-revoke YOUR_FINGERPRINT > revoke.ascStore this somewhere safe (offline, encrypted backup). If needed later:
gpg --import revoke.asc
gpg --keyserver keys.openpgp.org --send-keys YOUR_FINGERPRINTAdding New UIDs
Add additional email addresses:
gpg --edit-key YOUR_FINGERPRINT
gpg> adduid
# Follow prompts
gpg> saveBacking Up Your Key
Export your private key (store securely!):
gpg --export-secret-keys --armor YOUR_FINGERPRINT > private-key.ascExport public key:
gpg --export --armor YOUR_FINGERPRINT > public-key.ascConsider storing the private key backup:
- In an encrypted container
- On offline storage
- In a password manager’s secure notes
- Split across multiple locations (advanced)
Signing and Encrypting
Signing Messages
Create a clearsigned message:
echo "This is my signed message" | gpg --clearsignSign a file:
gpg --sign document.txt # Binary signature embedded
gpg --clearsign document.txt # ASCII signature embedded
gpg --detach-sign document.txt # Separate .sig fileEncrypting Messages
Encrypt to a recipient:
echo "Secret message" | gpg --encrypt --armor --recipient recipient@email.comEncrypt a file:
gpg --encrypt --recipient recipient@email.com document.txtVerifying Signatures
Verify a signed message:
gpg --verify message.txt.sig message.txtIf the signer’s key is on your keyring and trusted, you’ll see confirmation of the valid signature.
Web of Trust vs. TOFU
OpenPGP traditionally used a “web of trust” model where users sign each other’s keys to vouch for identity. This proved impractical for most people.
Modern approaches prefer TOFU (Trust On First Use): you trust a key the first time you see it and verify it hasn’t changed since. Keyoxide proofs strengthen this by providing multiple independent verification paths.
Self-Hosting Keyoxide
Keyoxide is open source. If you prefer not to depend on keyoxide.org:
git clone https://codeberg.org/keyoxide/keyoxide-web.git
cd keyoxide-web
npm install
npm run buildHost the built files on your own server. Your proofs will verify just the same—they depend only on your key and the platforms you’ve linked, not on Keyoxide’s infrastructure.
Footnotes:
[1] Keyoxide Documentation: https://docs.keyoxide.org [2] Ariadne Identity Proofs: https://docs.keyoxide.org/wiki/ariadne-identity-proof/ [3] OpenPGP Best Practices: https://riseup.net/en/security/message-security/openpgp/best-practices [4] keys.openpgp.org: https://keys.openpgp.org/about [5] GnuPG Manual: https://www.gnupg.org/documentation/manuals/gnupg/