samsapti.dev/content/keys.md

---
title: "My Cryptographic Keys"
---

## PGP key

My public PGP key is the following:

```txt
pub   ed25519/0x3FC96B835B918FC3 2022-05-28 [C] [expires: 2024-05-27]
      Key fingerprint = 7D80 F5D8 4022 B8F5 E030  CC3E 3FC9 6B83 5B91 8FC3
uid                   [ unknown] Sam Al-Sapti <sam@sapti.me>
uid                   [ unknown] Sam Al-Sapti <sals@itu.dk>
sub   ed25519/0xCBBBE7371E81C4EA 2022-05-28 [S] [expires: 2022-11-24]
      Key fingerprint = 758F 1A17 C803 5FD9 3912  C9E2 CBBB E737 1E81 C4EA
sub   cv25519/0x914289689CF45D4F 2022-05-28 [E] [expires: 2022-11-24]
      Key fingerprint = 20D2 BBB4 63CA 6CB6 F295  F2BA 9142 8968 9CF4 5D4F
sub   ed25519/0x899C7CF4B526656F 2022-05-28 [A] [expires: 2022-11-24]
      Key fingerprint = FA9B 317E D1D3 4906 46CC  D154 899C 7CF4 B526 656F
```

You can download it [here](/pgp.asc) or from your preferred keyserver.

<details>
  <summary>
    How I keep my private key safe
  </summary>

  ### Master key

  My private master key is only used for the following purposes:

  - Add or revoke UIDs
  - Add or revoke subkeys
  - Change expiry for subkeys or the master key itself
  - Sign other keys

  My private master key is only ever accessed on an airgapped machine,
  with no internet or wireless communication capabilities (all wireless
  components physically removed), no camera or microphone and no
  persistent storage. This airgapped machine is booted with the latest
  version of [Tails OS](https://tails.boum.org). The master key is
  protected by a long and secure passphrase and stored on an encrypted
  storage medium, which itself is stored in a safe place.
  
  ### Subkeys

  My subkeys are stored on an OpenPGP smartcard for daily use. The
  smartcard makes sure that the local machine never has direct access to
  the keys. It is protected by a pin-code and requires a physical touch
  on every cryptographic operation.

  ### Revocation and expiry

  I usually set my master key to be valid for 2 years at a time. I will
  always extend it at least 1 week prior to the expiry date. The same
  goes for my subkeys, which are set to be valid for 6 months at a time.

  If my keys are ever compromised, I have a revocation certificate,
  stored in a safe place, that I will publish to this website and
  various keyservers.

</details>

<details>
  <summary>
    Key signing policy
  </summary>

  ### Certification levels

  These are the certification levels I use to sign other keys, and the
  requirements for each level.

  #### Level 0: Generic verification (`sig`/`0x10`)
  
  This certification level is used if I have somehow verified that you
  are in control of the email address(es) of the UID(s) to be signed.
  No assertions are made about your identity.
  
  #### Level 1: No verification (`sig1`/`0x11`)
  
  This certification level is used when I have not safely verified you
  as the keyholder, but I merely _believe_ that you own the key in
  question.
  
  #### Level 2: Casual verification (`sig2`/`0x12`)
  
  This certification level is used when I have verified your identity
  with at least one form of photo ID (government-issued or equally
  secure), that your identity matches that of the UID(s) to be signed,
  and that you are in control of the email address(es) of the UID(s) to
  be signed.
  
  #### Level 3: Extensive verification (`sig3`/`0x13`)
  
  This certification level is used when I am _absolutely sure_ that you
  are in fact the keyholder. This means that either you are someone I
  know personally and trust, or that someone I ultimately trust have
  notified me that you want a signature and have given me your key
  fingerprint in a secure manner.

  ### Signing process

  The signing process consists of 2 steps:

  1)  Verification will take place either in person or over video call.
      If we meet in person, you will give me a physical copy of your key
      fingerprint. If verification takes place over video call, you will
      give me your key fingerprint verbally.
  2)  You will have to send me your public key from the email address
      associated with one of the UIDs to be signed. The email has to be
      signed. I will then sign the key and send it back to the same
      email address in encrypted form.

</details>

## SSH key

If you need to give me shell access to your server or similar, please
use the following public SSH key:

```txt
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf
```

<details>
  <summary>
    PGP signed version
  </summary>

  ```txt
  -----BEGIN PGP SIGNED MESSAGE-----
  Hash: SHA512

  ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf

  -----BEGIN PGP SIGNATURE-----

  iHUEARYKAB0WIQR1jxoXyANf2TkSyeLLu+c3HoHE6gUCYsQ0LAAKCRDLu+c3HoHE
  6lEJAQD0T22AX57+RCqdmhfqOGHLns58k7IOEdhH/xz8jRxYBgD/dJyi6mwrDVZY
  fCv+jdgoLDtMr83OKq9fzr0yG9Qh9QM=
  =KEVz
  -----END PGP SIGNATURE-----
  ```
</details>

You can download it [here](/ssh.pub).