Kerberos PGP Setup & Verification

/1 – Generate Your PGP Keypair

Download and install GnuPG or Kleopatra (Gpg4win on Windows; native GnuPG on Linux /macOS). Use 2048 or 4096‑bit RSA keys for compatibility. Example command: gpg --full-generate-key. Choose an identity that does not reveal personal information – pseudonymous handles are recommended.

/2 – Export and Backup

Use gpg --export-secret-keys > mykey.asc and store backups offline on encrypted media. Do not upload private keys to cloud storage. Keep one air‑gapped copy for recovery and one live copy for daily operations. Record fingerprints and creation dates on paper for verification.

/3 – Import Kerberos Keys

Retrieve the official Kerberos administrator key from the links.html section or public PGP servers. Then import it via gpg --import kerberos_admin.asc. Compare the fingerprint from output with the fingerprint published in our documentation. If they match, trust level can be set to ultimate using gpg --edit-key trust.

/4 – Verify Signatures

To check signed Kerberos messages, save the file and run gpg --verify message.sig message.txt. If the signature belongs to Kerberos admin and matches the listed fingerprint, the message is authentic. Reject email or onion addresses sent without cryptographic proof.

/5 – Optional Key Usage Automation

Advanced users can integrate PGP verification scripts directly into their browser via Tampermonkey or manual Python checks through gnupg API. Never allow web scripts to access private keys — only verify signatures locally.

Kerberos documentation team encourages users to consider PGP as mandatory — not optional. Integrity and authenticity are two pillars of the Kerberos ecosystem that enable trust without centralization.