Configure GnuPG
Once you're running under Tails with the Persistent Storage partition unlocked, there are a few GnuPG settings you should configure.
Key ID display format
This will make GnuPG show all keys as their full 160-bit fingerprints, rather than the 32- or 64-bit "short" versions.
This isn't technically required, however I recommend doing this. The chances of a collision (i.e. two different PGP keys which have, or appear to have, the same fingerprint) are much smaller when you're seeing the full fingerprint.
In $HOME/.gnupg/gpg.conf
-
Replace "
keyid-format 0xlong" with "keyid-format none".# Display long key IDs #keyid-format 0xlong keyid-format noneℹ️ At first glance this may seem strange, but this option controls how key IDs are displayed immediately after the algorithm (i.e. "
rsa4096/0xDEADBEEF" vs "rsa4096/0xBADDF00DDEADBEEF"). The option below will makegpgshow the full fingerprints, in a format without any extra spaces, so we don't need to see a "short version" of the Key ID. -
Replace "
with-fingerprint" with "with-subkey-fingerprint".# List all keys (or the specified ones) along with their fingerprints #with-fingerprint with-subkey-fingerprints
Old format:
pub ed25519/0x5A6C4588132E97A6 2023-05-23 [C] [expires: 2024-01-01]
Key fingerprint = 2A9E 767B A8BD E849 331B 4064 5A6C 4588 132E 97A6
uid [ultimate] Sample <please@dont-spam.us>
sub ed25519/0x91EF268465FA9390 2023-05-23 [S] [expires: 2024-01-01]
sub rsa4096/0xB17819416F1A3202 2023-05-23 [E] [expires: 2024-01-01]
New format:
pub ed25519 2023-05-23 [C] [expires: 2024-01-01]
2A9E767BA8BDE849331B40645A6C4588132E97A6
uid [ultimate] Sample <please@dont-spam.us>
sub ed25519 2023-05-23 [S] [expires: 2024-01-01]
76581737ABBD19552BFC7D8D91EF268465FA9390
sub rsa4096 2023-05-23 [E] [expires: 2024-01-01]
57DAE100A563EDF02E3C71EAB17819416F1A3202
Keyserver
The PGP keyserver that Tails configures by default is a Tor "onion" address which connects to keys.openpgp.org. This keyserver allows keys to be uploaded, and other people can download them if they know the Key ID, but the keys are not "searchable" by name or email address until those identities are verified.