[throwaway7767]

> When I receive a GPG encrypted email from a stranger, though, I immediately get the feeling that I don’t want to read it. Sometimes I actually contemplate creating a filter for them so that they bypass my inbox entirely, but for now I sigh, unlock my key, start reading, and with a faint glimmer of hope am typically disappointed.

I wonder what proportion of his plaintext email from strangers is interesting. For me it's close to 0%, mostly spam or people demanding I do free work to fix issues in open source code. I really doubt this has much to do with GPG mails specifically.

[lrvick]

To contrast this, in the last bug bounty page I set up I strongly suggested researchers gpg encrypt email to submit their findings. I really didn't want sensitive issues directly exposed to our entire support team.

As it turns out, the gpg encrypted emails which were only a small fraction of the ones we received, and made up the substantial majority of actionable issues we rewarded on.

If a security researcher is not capable of encrypting email to a public key, they probably are not bringing me anything worth my time to read.

[jandrese]

I wonder if he has an especially onerous password? It doesn't seem like it should be that big of a burden to pop in the password for an email. I guess he has it set for ultra-paranoid mode where you have to enter the password every time you even think about touching the mail.

I do agree that GPG has been largely a failure. A tool too general and too vaguely defined for the average user. A powerful tool but only really usable by crypto nerds. What's worse, the key distribution problem was never really solved and that's the most critical component of the entire system. Even today there are scant few email clients that will query the keyservers for you.

[lrvick]

Since my GPG subkeys are in my yubikey I literally just tap it to decrypt, ssh, or sign commits. I also plug my key into my phone and tap it to decrypt/sign email or decrypt passwords too.

I have sucessfuly migrated dozens of friends and engineering teams at 3 companies to daily use of gpg via this same non-intrusive setup.

GPG is fairly pain free (and far more secure) if you put in the one time effort to set up a security token.

[Jtsummers]

> I also plug my key into my phone and tap it to decrypt/sign email or decrypt passwords too.

I assume Android. How easy is this to set up?

https://www.yubico.com/support/knowledge-base/categories/art...

It seems to be a workable option with PGP/GPG, but do you have to plug it in per use rather than leave it in as this post says (to use the onscreen keyboard)?

[lrvick]

You can just set "always show virtual keyboard" in accessibility options (at least in in android 8.0+).

[Jtsummers]

I'm not, primarily, an Android user so I wasn't aware of that option. Thanks. I have a USB-A yubikey and just got a laptop with USB-C ports and an adaptor so I guess I'll give this a go on my backup Android phone tonight.

[jandrese]

Did you have your coworkers publish their public keys in the internet keyservers or did you have them all exchange their public keys by hand?

[lrvick]

Most of them do, however in multiple groups I have been part of we maintained a git repo containing all trusted public keys ready to batch import.

To make maintianing trust on this easy, all commits to this folder are made with commits signed by the owner of the respective key, and then a merge commit signed by a maintainer that verified it.

This makes it really easy for automation to have a source of trouth to check/validate commit signatures in other repos.

[Shoothe]

With GPG there are many more options: have internal keyserver, have "certification authority" key that signs new employee keys and everyone else trusts this authority (via trust signatures. For details see: https://www.linuxfoundation.org/blog/pgp-web-of-trust-delega...

[lmm]

Too many options, honestly. I'd love to see a widely agreed "basic profile" for GPG, so that everyone writing tutorials etc. would be suggesting the same thing.

[im3w1l]

The cryptographical ideas behind GPG are not flawed in principle, but the usability is absolutely atrocious and it's easy to get things wrong. I imagine that a good ux-designer or two could do wonders for it.