Yesterday I read a short piece on PGP from ArsTechnica’s Filippo Alsorda entitled “I’m throwing in the towel on PGP”. It’s a great piece on the fact that PGP is still the pinnacle of security, but it’s just failed on everything around use-case and integration. Like him, I use PostBox for email, with EnigMail. I’ve maintained a set of keys for several years, regularly expiring and recreating them, but the only signed email I ever got was an annual notice from Joker.com validating my domain.
Even doing everything half-right (I never did key-signing parties and all that), it still was mostly “security theater”. The keys sat on my laptop hard drive, and I had no way to access them from my phone or tablet. Every time I wanted to expire my key or adjust the expiration to push it out another year, I had to resort to arcane gpg command lines cut-and-paste from StackOverflow. Odds are, I fubar’ed it more than once and I’m nowhere as secure as I thought.
So in short, I’m giving up on it. I’ll keep things enabled for a while, but I’m not going to bother maintaining it like I have. Instead, we have better tools these days. I’ve setup Signal for encrypted instant messaging, and setup a ProtonMail account for email.
So, if you want to reach me via an encrypted channel.. Reach out to me normally (Facebook, twitter DM, email, etc) and I’ll share the details.