Last Page Update: March 28, 2017
Last Major Key Update: January 30, 2017

You’re probably here because you either 1) received an email from me with a signature.asc attachment or a crazy BEGIN PGP SIGNATURE section at the bottom, or 2) received a business card from me with some PGP information on it


Long story short: “PGP” or “GPG” is a protocol and a set of software that allows people to encrypt messages to one another. It also allows people to “sign” messages so other people who use PGP software can tell — with 100% certainty — that the email actually comes from the sender (it hasn't been forged) and that the message arrived without being edited while in transit.

I'm still working on a legitimate “peoples’ guide to PGP”, but here are some links you can look at:


0x6E0E9923 is my primary PGP key — click here to download it. You can corroborate the legitimacy of this key by finding it on other sources, by verifying it with me in another medium, and checking Keybase which contains some key+account ownership proofs via my Twitter, my GitHub, and other online profiles. This key is also available on most keyservers and on my ProPublica staff profile. You should also check the "full" key fingerprint to ensure that you have the correct key:

$ gpg --list-keys --fingerprint --fingerprint 0xA993E7156E0E9923
pub   8192R/0x6E0E9923 2013-07-19 [expires: 2018-01-31]
      Key fingerprint = 4034 E60A A782 7C5D F21A  89AA A993 E715 6E0E 9923
uid       Mike Tigas <mike@tig.as>
uid       Mike Tigas <mike.tigas@propublica.org>
uid       Mike Tigas <tigas@protonmail.ch>
uid       Mike Tigas <mike.tigas@nyu.edu>
sub   4096R/0x95DA684A 2016-04-24
      Key fingerprint = 1B37 D532 EDD4 869B 1C7B  C39A 14B8 78BA 95DA 684A
sub   4096R/0x0F20BBD2 2016-04-24
      Key fingerprint = 74FD 6CD6 BA44 42A0 0323  1146 3980 AA6B 0F20 BBD2

The root 0x6E0E9923 identity key is stored offline for safety. The current subkeys 0x95DA684A and 0x0F20BBD2 are used for everyday signing and encryption operations.

There are some older subkeys attached to the PGP key, all of which are revoked and no longer used. You may see them, depending on how you are viewing my key:

sub   8192R/0x7E745064 2013-12-24 [revoked: 2015-03-12]
      Key fingerprint = 0F3B 15DC 3F8A 34CD B9D5  497C ECB8 6729 7E74 5064
sub   8192R/0xE55F7656 2013-07-19 [revoked: 2015-03-12]
      Key fingerprint = 73E4 3A10 3D21 A962 0E5C  41F0 B09C CE88 E55F 7656
sub   2048R/0x5410F8C4 2015-03-12 [revoked: 2016-04-24]
      Key fingerprint = A577 FE9F 0CCA 8AC7 2845  A101 8DE8 FCA6 5410 F8C4
sub   2048R/0xA7F9FB72 2015-03-12 [revoked: 2016-04-24]
      Key fingerprint = DEEF 6A2C 795F 11D0 13E8  B17A 641D 4E3A A7F9 FB72

The key expires on a scheduled basis (next: January 31, 2018) and will be refreshed at some point (no more than six months, and no less than two weeks) before the scheduled expiry date; if you've found that it's expired on your computer, come back here and download it again or refresh it from a keyserver.

If you’re really crazy about this stuff, you can read my key signing policy.

-Mike Tigas [web] [twitter]