SSH Keys vs GPG Keys Explained
🔐 SSH Key vs. GPG Key
Here is a clear, practical explanation of what a GPG key is, what an SSH key is, and how they differ.
1. What an SSH key is
SSH keys are used for authentication into systems.
✔️ SSH keys allow you to:
- Log into servers without a password
- Authenticate to GitHub, GitLab, Bitbucket
- Authenticate inside DDEV containers via SSH agent
- Secure SCP/SFTP transfers
🔑 An SSH key pair includes:
- Private key:
id_ed25519 - Public key:
id_ed25519.pub
SSH keys prove:
“I am allowed to connect.”
2. What a GPG key is
A GPG (GNU Privacy Guard) key is used for signing, encrypting, and verifying content, especially identity‑based operations.
✔️ GPG keys allow you to:
- Digitally sign Git commits (proves they came from you)
- Digitally sign emails
- Encrypt or decrypt files and messages
- Sign software releases so users know they are authentic
🔑 A GPG key pair includes:
- Private key (kept secret)
- Public key (shared so others can verify your signatures)
GPG keys prove:
“This message or code truly came from me.”
🆚 Key Differences (Comparison)
| Feature | SSH Key | GPG Key |
|---|---|---|
| Purpose | Authenticate to servers & services | Sign or encrypt data, commits, messages |
| Used in | SSH login, GitHub auth, DDEV, Linux servers | Git commit signing, encrypted email, secure messaging |
| Identifies | Your access | Your identity |
| Private key stays | On your device | On your device |
| Public key used for | Authorizing access | Verifying signatures / encryption |
| Trust model | Who is allowed in? | Who do we trust as the identity? |
🧠 The Simplest Analogy
SSH key = the key to unlock a door.
It lets you in.
GPG key = your wax seal on a document.
It proves the document came from you and wasn’t altered.
⚙️ Which one do YOU need?
For GitHub:
- SSH key → authenticate (clone, pull, push)
- GPG key → optional; marks commits as “verified”
Most people only need SSH keys unless they want verified commits.
📌 When both are used on GitHub
- SSH key = login/authentication
- GPG key = signature proving commits are genuine
They do not replace each other.
If you’d like a step‑by‑step guide to generating a GPG key, adding it to GitHub, and enabling automatic commit signing, just ask!