Would it be possible to add similar support for GPG keys?

I'm still super interested in this because I'd like to be able to more natively use 1password as the central hub to store keys used to sign published artifacts generated in CI. It'd be super-handy if I could easily generate a new signing subkey and revoke one which was compromised when a CI system's cloud provider gets hacked again, all without having to change a thing about the ci logic. Bonus points for also auto-publishing to one or more keyservers on-change. For one example. Right now I have to locally export a key, import that into 1password as a text field, then have automation fetch the armored key before importing it into a local agent, etc. It's kind of a convoluted process compared to something like telling a package signing process to just use a local key agent which can just speak to 1password connect -- for another example. :) Git commit signing is technically on the list, but more of a side effect to me personally.

IMO, GPG is a fairly complex standard that sees use in many many ways. Adding support for all of these myriad ways into 1Password maybe reinventing the wheel because GPG already has a large number of tools available. And these tools are quite modern in their implementation (but often not in their UI/UX). At the same time, I do want to be able to store my GPG keys in 1Password. After all, what I am paying for is having to remember just "one password".

I think they're hoping everyone storing PGP keys is using them for signing commits and as people discover it can be done with SSH, they'll give up asking for the feature. There are indeed those of us from the '90s still using S/MIME and encrypting blocks to others who want 1Password to be the one stop secret shop.

Big +1 SSH commit signing is fine until you need to rotate keys. Revoking a GPG key will continue to show commits in GitHub (unsure about GitLab) as "verified (expired)". The only way I've found to do the same with SSH keys is to remove the old key completely, but then commits show as "unverified" which defeats the point of supply chain integrity since it's not possible to distinguish a commit that was signed with an old key, or a commit that was not signed, or signed with another key that's not allowed. The alternative is to not rotate signing keys, but then you compromise supply chain integrity further by not ensuring keys are rotated in a timely fashion.

Just to throw my opinion into the mix: SSH keys cannot be substituted for PGP keys in all cases. A PGP key is closer to a digital certificate than it is to an SSH key; whereas an SSH key is really just a raw public key with a tiny amount of metadata attached, a PGP key can and generally does contain a wealth of additional metadata, and is also used for a much wider variety of purposes, like certifying other public keys or containing attached subkeys. In concrete terms, an SSH key cannot be substituted for a PGP key for many use cases, like E2E encrypted email, YubiKey, cryptocurrency wallets etc. If 1Password were to support a GnuPG authentication agent, it would make storing private keys in a centralized location easier and more secure, and the process of performing common PGP-related tasks more transparent. While GnuPG is pretty widely supported nowadays, and there is a wide variety of FOSS out there for managing keys, having my PGP keys stored in 1Password would make life a little easier. It's a small quality-of-life improvement, but not really a significant ask from me personally. I use 1Password because it has the best user experience and broadest compatibility of all of the password managers I've tried, and I intend to keep using it regardless of whether or not PGP keys are supported.

GPG support? (like SSH) | 1Password Community

81 Replies

RogueScholar
Occasional Contributor
2 years ago
As others have stated here already, I use GPG-based signing and encryption for the following activities:
* E-mail signing (majority use case) and encryption (not-insignificant minority)
* As the framework for securing on-site incremental system backups and the occasional full volume images
* To authenticate the end product of packaging efforts for various and sundry Linux distribution package archives (this one's the doozy of the bunch)
* Securing P2P file transfers and shares over otherwise less-secure services (e.g. Dropbox, OneDrive, LocalSend, et al.)

Also echoing several others in this thread, the primary functionality that I seek is really the gpg-agent service and less so the key pair generation and management, although ideally they would at some future time all be present in 1Password. Just to be able to import public and private keys exported as individual files (whether binary or ASCII-armored) and have 1P recognize them, display their identifying characteristics (algorithm, key size, fingerprint and comment) and serve them up in response to the standard gpg-agent calls would be more than enough to have me purring like a kitten for a good long while, though. It's the ability to have them available on all my devices in the same manner that 1P already does for other credentials that I'm so sorely lacking in my current workflows; it wouldn't be an onerous hardship to handle the tasks like key signing, subkey and identity addition/revocation and expiration changes with the tools I already have in place so long as in the end the updated key pairs could be returned to 1P and made use of from my other devices.

I hope that provides the clarification you were asking for, floris_1P, if not, I can get more granular.
razvanpascalau
New Contributor
2 years ago
+1 for having a clean gpg management solution
thystips
New Contributor
2 years ago
+1

For storing GPG keys in clean way.
jayt
New Contributor
2 years ago
+1 for sure!
bpacia
New Contributor
2 years ago
+1 to this request.

I would love to see 1Password have a built-in GPG agent, just like it does currently for SSH. It's an awesome, seamless, cross-platform experience, both in GUI and in command-line. Please bring it to us!
Former Member
2 years ago
+1 (also for @aleon1220s recommendation)

It would be very helpful to derive the public key from the secret, so you can easily access it while securely store the private key.

gpg-agent integration would be awesome! (I guess this is what most mean with "like ssh")
Former Member
2 years ago
+1
aleon1220
New Contributor
2 years ago
+1 but maybe support for other encryption mechanisms and certificates as well. thanks
Former Member
2 years ago
+1!
Former Member
3 years ago
I'd like to clarify my specific part of wanting GPG support. I'd like to have 1PW serve as my gpg-agent process much like it serves as my ssh-agent. This way, when I attempt to use an agent feature, I'm prompted for my password and the agent provides the necessary key. Additionally, having an option to require the 1PW password whenever a key is used similar to a Credit Card entry would be nice!

I feel like one of the advantages GPG keys offer over SSH keys for signing content is the availability of sub keys for different personas. For example, I'm the same person at work and in personal life, but I can have separate keys for both personas as subkeys to my main key. This is how maintainers of several Linux distributions are encouraged to use GPG, and it seems generally like a good practice. Additionally, as already mentioned, GPG can be used to sign and encrypt email, text files, backups, and a host of other things beyond simply signing git commits. GPG public keys are also discoverable, which makes them much easier to use for communication purposes.

Thanks for all the great work on 1PW so far!

Forum Discussion

GPG support? (like SSH)

81 Replies

Recent discussions

Apple Watch CLI Authentication

macOS 26 beta browser extension very slow to open

Use op on headless system with glab?

Console flooded with errors when clicking links during 1Password passkey selection dialog

How to create an Address field type using the CLI?