diff --git a/content/keys.md b/content/keys.md
index a271069..a994b81 100644
--- a/content/keys.md
+++ b/content/keys.md
@@ -21,6 +21,98 @@ sub ed25519/0x899C7CF4B526656F 2022-05-28 [A] [expires: 2022-11-24]
You can download it [here](/pgp.asc) or from your preferred keyserver.
+
+
+ How I keep my private key safe
+
+
+ ### Master key
+
+ My private master key is only used for the following purposes:
+
+ * Add or revoke UIDs
+ * Add or revoke subkeys
+ * Change expiry for subkeys or the master key itself
+ * Sign other keys
+
+ My private master key is only ever accessed on an airgapped machine,
+ with no internet or wireless communication capabilities, no camera or
+ microphone and no persistent storage. This airgapped machine is booted
+ with the latest version of [Tails OS](https://tails.boum.org). The
+ master key is protected by a long and secure passphrase and stored on
+ an encrypted storage medium, which itself is stored in a safe place.
+
+ ### Subkeys
+
+ My subkeys are stored on an OpenPGP smartcard for daily use. The
+ smartcard makes sure that the local machine never has direct access to
+ the keys. It is protected by a pin-code and requires a physical touch
+ on every cryptographic operation.
+
+ ### Revocation and expiry
+
+ I usually set my master key to be valid for 2 years at a time. I will
+ always extend it at least 1 week prior to the expiry date. The same
+ goes for my subkeys, which are set to be valid for 6 months at a time.
+
+ If my keys are ever compromised, I have a revocation certificate,
+ stored in a safe, that I will publish to this website and various
+ keyservers.
+
+
+
+
+
+ Key signing policy
+
+
+ ### Certification levels
+
+ These are the certification levels I use to sign other keys, and the
+ requirements for each level.
+
+ #### Level 0: Generic verification (`sig`/`0x10`)
+
+ This certification level is used if I have somehow verified that you
+ are in control of the email address(es) of the UID(s) to be signed.
+ No assertions are made about your identity.
+
+ #### Level 1: No verification (`sig1`/`0x11`)
+
+ This certification level is used when I have not safely verified you
+ as the keyholder, but I merely _believe_ that you own the key in
+ question.
+
+ #### Level 2: Casual verification (`sig2`/`0x12`)
+
+ This certification level is used when I have verified your identity
+ with at least one form of photo ID (government-issued or equally
+ secure), that your identity matches that of the UID(s) to be signed,
+ and that you are in control of the email address(es) of the UID(s) to
+ be signed.
+
+ #### Level 3: Extensive verification (`sig3`/`0x13`)
+
+ This certification level is used when I am _absolutely sure_ that you
+ are in fact the keyholder. This means that either you are someone I
+ know personally and trust, or that someone I ultimately trust have
+ notified me that you want a signature and have given me your key
+ fingerprint in a secure manner.
+
+ ### Signing process
+
+ The signing process consists of 2 steps:
+
+ 1) Verification will take place either in person or over video call.
+ If we meet in person, you will give me a physical copy of your key
+ fingerprint. If verification takes place over video call, you will
+ give me your key fingerprint verbally.
+ 2) You will have to send me your public key from the email address
+ associated with one of the UIDs to be signed. I will then sign the
+ key and send it back to the same email address in encrypted form.
+
+
+
## SSH key
If you need to give me shell access to your server or similar, please
@@ -30,4 +122,25 @@ use the following public SSH key:
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti_yubikey_ssh
```
+
+
+ PGP signed version
+
+
+ ```txt
+ -----BEGIN PGP SIGNED MESSAGE-----
+ Hash: SHA512
+
+ ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf samsapti_yubikey_ssh
+
+ -----BEGIN PGP SIGNATURE-----
+
+ iHUEARYKAB0WIQR1jxoXyANf2TkSyeLLu+c3HoHE6gUCYqeuFwAKCRDLu+c3HoHE
+ 6tTqAQDhUokTzNxn4h06UKCbggtTG3EpMrbgNT2HUQugpD6t7gEA6IleDY/aubyT
+ Giy/YDkzUoJlVghNq0rU+DcSC1dLzQs=
+ =FjyX
+ -----END PGP SIGNATURE-----
+ ```
+
+
You can download it [here](/ssh.pub).
\ No newline at end of file