GPG support? (like SSH)

2»

Comments

  • thefyrfli
    thefyrfli
    Community Member

    +1

  • doubleforte
    doubleforte
    Community Member

    +1

  • To all the +1'ers in this thread: it would be helpful if you could also describe what you're doing now that requires GPG.

  • ionos
    ionos
    Community Member

    I think it has all been mentioned before on this thread, but here it does:

    • File encryption (e.g. for archiving sensitive information)
    • Git comment signing (we prefer it over signing with SSH keys)
    • Email encryption/signing

    Cheers,
    -i

  • axelitus
    axelitus
    Community Member

    I would love to see support for GPG!

    As previously stated by some, I use GPG for signing commits with GIT (I also prefer it over SSH keys).

  • What are the benefits you're seeing of using GPG over SSH for commit signing?

  • ionos
    ionos
    Community Member

    @floris_1P

    top of my head:

    • key servers for verification, web of trust (an SSH commit signature by itself means nothing, if I don't know the key)
    • existing workflows based on GPG
    • subkeys
  • Thanks for your feedback @ionos!

    Jack

  • [Deleted User]
    [Deleted User]
    Community Member

    +1 for this. Even with SSH signing I'd love GPG support for email among other things. It would beat adding my key as a file.

  • Nezteb
    Nezteb
    Community Member

    Chiming in to echo that I'd love GPG support!

  • kherge
    kherge
    Community Member

    After having the pleasure of using 1Password's SSH agent, I am also very excited about the possibility of using my GnuPG keys with 1Password and a GnuPG agent. SSH is nice, but I value GnuPG's sub keys support greatly.

    • I generally manage my identity with GnuPG keys, not SSH keys.
    • It's already been mentioned, but key servers for verification is great.

      • The ability to publish and revoke these keys.
    • Being able to create distinct sub keys allows me to avoid using a master key.

      • I can sign for things using dedicated signing keys.
      • I can encrypt things using dedicated encryption keys.

    From what I understand, if you wanted any of this without GnuPG you would have to use certificates and certificate authorities.

  • joe232
    joe232
    Community Member

    GnuPG/PGP is almost entirely different from SSH. Having one does not make up for not having the other. The whole point of 1password is to support all of these different tools in one system. Please stop distracting with SSH and just implement similar GnuPG support.

  • owenvoke
    owenvoke
    Community Member

    Would love to have support for GnuPG / PGP as well. Been using it for years for commit signing, file encryption / signatures, and for communication.

  • Ryan Parman
    Ryan Parman
    Community Member

    I started watching this issue 15 months ago, shortly after it was opened.

    • I use GPG for signing my Git commits
    • I use it for signing/encrypting emails
    • I use it with GoReleaser to generate GPG signatures for software packages I release
    • I use it with Keybase.io
    • I use it to encrypt new credentials for people who do not yet have a password manager, so that I can send them over Slack and email.

    In the interim, I've been using GPG Tools (macOS) with pinentry-touchid for a reasonably modern GPG experience.

  • itsTyrion
    itsTyrion
    Community Member
    edited May 2023

    GPG/PGP offers various features for security & privacy. It supports keyservers (are there good methods/servers for doing that with SSH keys?), making it convenient to publish your key.
    Additionally, it allows the use of revocation certificates and the creation of master and sub keys, which can be particularly beneficial for organizations. With GPG/PGP, you have the ability to sign commits, as well as sign and encrypt emails, text, individual files, and git commits.

    Furthermore, GPG/PGP can be used to securely share credentials with others, even when using platforms or channels that may not prioritize privacy, using their pub key, obtained from e.g. keybase.

    Finally, it's worth noting that while SSH keys can be used to sign git commits, the level of trust is not as meaningful as a GPG one, due to the absence of infrastructure like keybase, which verifies the authenticity of the signer.

  • XIII
    XIII
    Community Member

    Finally, it's worth noting that while SSH keys can be used to sign git commits, the level of trust is not as meaningful as a GPG one, due to the absence of infrastructure like keybase, which verifies the authenticity of the signer.

    Apparently that’s even an (user…) issue with GPG:

    https://blog.pypi.org/posts/2023-05-23-removing-pgp/

  • sannidhyz
    sannidhyz
    Community Member

    GPG keys can not only be used for signing commits but also used to sign and encrypt files, emails and other data. We'd love to see GPG support in 1Password.

  • TomC603
    TomC603
    Community Member

    I'd like to clarify my specific part of wanting GPG support. I'd like to have 1PW serve as my gpg-agent process much like it serves as my ssh-agent. This way, when I attempt to use an agent feature, I'm prompted for my password and the agent provides the necessary key. Additionally, having an option to require the 1PW password whenever a key is used similar to a Credit Card entry would be nice!

    I feel like one of the advantages GPG keys offer over SSH keys for signing content is the availability of sub keys for different personas. For example, I'm the same person at work and in personal life, but I can have separate keys for both personas as subkeys to my main key. This is how maintainers of several Linux distributions are encouraged to use GPG, and it seems generally like a good practice. Additionally, as already mentioned, GPG can be used to sign and encrypt email, text files, backups, and a host of other things beyond simply signing git commits. GPG public keys are also discoverable, which makes them much easier to use for communication purposes.

    Thanks for all the great work on 1PW so far!

  • dimashpt
    dimashpt
    Community Member

    +1!

  • aleon1220
    aleon1220
    Community Member

    +1 but maybe support for other encryption mechanisms and certificates as well. thanks

  • stefanlex90
    stefanlex90
    Community Member

    +1

  • faluffy
    faluffy
    Community Member
    edited December 2023

    +1 (also for @aleon1220s recommendation)

    It would be very helpful to derive the public key from the secret, so you can easily access it while securely store the private key.

    gpg-agent integration would be awesome! (I guess this is what most mean with "like ssh")

  • bpacia
    bpacia
    Community Member

    +1 to this request.

    I would love to see 1Password have a built-in GPG agent, just like it does currently for SSH. It's an awesome, seamless, cross-platform experience, both in GUI and in command-line. Please bring it to us!

  • jayt
    jayt
    Community Member

    +1 for sure!

  • thystips
    thystips
    Community Member

    +1

    For storing GPG keys in clean way.

  • razvanpascalau
    razvanpascalau
    Community Member
    edited February 19

    +1 for having a clean gpg management solution

  • RogueScholar
    RogueScholar
    Community Member

    As others have stated here already, I use GPG-based signing and encryption for the following activities:

    • E-mail signing (majority use case) and encryption (not-insignificant minority)
    • As the framework for securing on-site incremental system backups and the occasional full volume images
    • To authenticate the end product of packaging efforts for various and sundry Linux distribution package archives (this one's the doozy of the bunch)
    • Securing P2P file transfers and shares over otherwise less-secure services (e.g. Dropbox, OneDrive, LocalSend, et al.)

    Also echoing several others in this thread, the primary functionality that I seek is really the gpg-agent service and less so the key pair generation and management, although ideally they would at some future time all be present in 1Password. Just to be able to import public and private keys exported as individual files (whether binary or ASCII-armored) and have 1P recognize them, display their identifying characteristics (algorithm, key size, fingerprint and comment) and serve them up in response to the standard gpg-agent calls would be more than enough to have me purring like a kitten for a good long while, though. It's the ability to have them available on all my devices in the same manner that 1P already does for other credentials that I'm so sorely lacking in my current workflows; it wouldn't be an onerous hardship to handle the tasks like key signing, subkey and identity addition/revocation and expiration changes with the tools I already have in place so long as in the end the updated key pairs could be returned to 1P and made use of from my other devices.

    I hope that provides the clarification you were asking for, @floris_1P, if not, I can get more granular.

  • mrclrchtr
    mrclrchtr
    Community Member

    +1
    git-crypt

  • Ryan Parman
    Ryan Parman
    Community Member

    I use GPG for git signing and for email sending. Yes, I could change to use SSH for git signing (six in one hand; half-dozen in the other), and S/MIME for email encryption (more difficult than GPG).

    At present, I use https://gpgtools.org (macOS) for managing all of my GPG keys, and the GPG keys of contacts and services. I also use https://github.com/jorgelbg/pinentry-touchid for using Touch ID instead of having to lookup and type in a password. It's not a bad solution at all, and may be a good choice in the interim for people who are still waiting on this support in 1Password.

    I have no idea if this feature will come to 1Password or not. All I know is that this thread was started 2 years ago, and we still do not have it in any shipping release. I have low expectations about this becoming a reality, so I've moved on. There are other tools that solve this just as well — it doesn't need to be baked into 1Password if the company doesn't want to do it.

    ¯_(ツ)_/¯

  • LukasW
    LukasW
    Community Member

    +1
    I require GPG for commit signing with eclipse/jgit, which as far as I can tell does not support SSH signing