Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

GPG vs SSH keys

Tags:

security

github

ssh

ssh-keys

gnupg

On GitHub, I want to add a key to associate my computer with my account and I am given two options: create an SSH or a GPG key.

What is the difference between the two keys? and is there a preferred one to use?
I understand how to create both by following the guide on the site but I don't know which one is better to use.

like image 493
Domenick Avatar asked Jul 18 '18 23:07

Domenick

People also ask

Can I use GPG for SSH?

When you use SSH, a program called ssh-agent is used to manage the keys. To use a GPG key, you'll use a similar program, gpg-agent, that manages GPG keys. To get gpg-agent to handle requests from SSH, you need to enable support by adding the line enable-ssh-support to the ~/. gnupg/gpg-agent.

Is PGP the same as SSH key?

Are the two interchangeable, or is there a difference between the two? Even if they were, it's generally a bad idea to re-use the same key across multiple contexts. Both PGP and SSH support RSA public/private key pairs, so presumably it is possible.

What is GPG keys used for?

GnuPG (more commonly known as GPG) is an implementation of a standard known as PGP (Pretty Good Privacy). It uses a system of "public" and "private" keys for the encryption and signing of messages or data.

Can you use PGP key for SSH?

A YubiKey with OpenPGP can be used for logging in to remote SSH servers. In this setup, the Authentication subkey of an OpenPGP key is used as an SSH key to authenticate against a server. To ensure that the only way to log in is by using your YubiKey we recommend disabling password login on your SSH server.

Video Answer

1 Answers

I want to add a key to associate my computer with my account and I am given two options

You will need at least the SSH one, if you want to push back to your repository, using an SSH URL (since the public SSH key will authenticate you).
Start with SSH. See "Connecting to GitHub with SSH".

Later, you can use GPG to sign commits.

Vishwas M.R points out in the comments to "Why would I sign my git commits with a GPG key when I already use an SSH key to authenticate myself when I push?"

When you authenticate to Github with your SSH key, that authentication doesn't become part of the repository in any meaningful or lasting way.
It causes Github to give you access for the moment, but it doesn't prove anything to anyone who is not Github.

When you GPG-sign a Git tag, that tag is part of the repository, and can be pushed to other copies of the repository.
Thus, other people who clone your repository can verify the signed tag, assuming that they have access to your public key and reason to trust it.

like image 110
VonC Avatar answered Sep 19 '22 14:09

VonC
Sign in to Comment

Related questions

How to prevent a browser from storing passwords
Why should checking a wrong password take longer than checking the right one?
Why do salts make dictionary attacks 'impossible'?
Algid parse error, not a sequence
C - The %x format specifier
How to secure RESTful web services?
How can I protect MySQL username and password from decompiling?
Generating cryptographically secure tokens
How to enable DDoS protection?
Are JSON web services vulnerable to CSRF attacks?
Why is there no same-origin policy for WebSockets? Why can I connect to ws://localhost?
Random number in range [min - max] using PHP
How to validate domain credentials?
What command do I use to see what the ECDSA key fingerprint of my server is?
Is it safe to trust $_SERVER['REMOTE_ADDR']?
Non-random salt for password hashes
What security mechanisms does Meteor have? [closed]
How do you protect your software from illegal distribution? [closed]
What does it mean to escape a string?
iOS 11: ATS (App Transport Security) no longer accepts custom anchor certs?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!