Overview of my PGP key infrastructure

12.07.2025

I recently added a new page for this site: onnilampi.fi/keys. The page contains a list of all PGP keys I've used in the past, as well as the ones currently being used by me. Most notably, one of the old keys is the one I used with Proton Mail for almost 10 years, and recently retired as I moved away from using Proton Mail as my "main" email provider. The move away from Proton Mail was not directly related to PGP, but mostly driven by an unsatisfactory UX that's been bugging me for a while. This being said, I will keep using Proton Mail for more anonymous communications in the future as well, as I'm very happy about the service in general. It just didn't really fit the bill for my personal preference of Thunderbird-based email.

Anyway, back to the topic of PGP keys. As I like to do, I started this small project by listinga bunch of requirements I wanted to fulfill:

• Once a key is generated, it stays in place and is never moved under normal operations.
• I want to rotate the keys often as part of normal operations. Key rotation should therefore be easy.
• People who are interested in obtaining my public key need to have readily available access to it via multiple means.
• Preferably, all keys are explicitly revoked when retired.
• Generated keys need to be easily transportable and operable with multiple different tools.

Luckily, the venerable Thunderbird is nowadays equipped with pretty much everything I need to acheive those goals. Things that Thudnerbird doesn't automatically achieve, I pretty much need to handle with some process anyway. As icing on the cake, Thunderbird stores the keys in a format that's directly usable by GnuPG. All I have to do is declare the profile directory as the GnuPG home directory: gpg --homedir ~/.thunderbird/profile_dir_name and everything works seamlessly. Now, I don't really use GnuPG to manage the email keys (more on that later), but the compatibility is handy for exporting, importing and modifying the keys, if necessary.

The lifecycle of a PGP key looks roughly like this in my setup:

1. A key is generated with Thunderbird with an expiration time of a year or two.
2. The newly generated key is shipped to keys.openpgp.org from the Thunderbird UI.
3. I receive a link via email that's used to confirm the pairing between the email address in question, and that particular key. This immediately ensures that the key is available from that service by simply querying my email address.
4. The key is actively used, and it's public part added as an attachement for all outgoing emails. Also, all outgoing email is cryptographically signed with the corresponding private part of the key.
5. Once the key expiration time approaches, the key is revoked. This is the only situation where the key is allowed to be moved, for example in a situation where the OS is re-installed.
6. New key is generated, and the old, now revoked, key becomes a part of a legacy keys that are shipped alongside the new public key.
7. The private part of the old key is left untouched, and deleted after some time.

This approach is practically 100% driven by the sublimely good Thunderbird UI, which is able to facilitate all of the mentioned steps automatically. Only in a situation where I permanently lose access to the keys unexpectedly, do I need to accept the fact that I can't explicitly revoke a key. Even in that situation, I'm still able to just start over, import all the public keys I had from a backup (which doesn't contain the private keys), and update the newly created key to the keys.openpgp.org -portal. I do have to accept the fact that there is technically a valid key present, but a relatively short key expiration interval should limit that adequately. Might be I'll eventually make that interval into something like 6 months, but remains to be seen.

In summary, I'm nowadays completely independent from any individual email provider, when it comes to encrypting my emails, which is cumbersome but also kinda neat.

Go back to list of entries