What GPG Taught Me About Human Trust

Posted on Mon 18 August 2025 in Security & Access

I’ve used GPG for years — to encrypt secrets, sign commits, share passwords, authenticate into systems.

But somewhere along the way, I realized that GPG isn’t just about security. It’s about relationships.

It forced me to look at how I trust people. How I grant access. How I handle compromise.

Tools that demand intention do that to you.

Key exchanges and real conversations

Most tools let you click “Accept” and move on.

GPG makes you stop.

It makes you:

  • Look someone in the eye (or at least validate their key fingerprint)
  • Decide how much you trust their key — fully, marginally, not at all
  • Sign their key — which is a public statement of trust

Every time I’ve had to onboard a teammate, share a repo, or automate access via GPG, it triggered a conversation about boundaries, risk and communication.

You don’t get that with shared Google Docs or Slack DMs.

You get that when you have to say out loud: “I trust you enough to decrypt this.”

Compromise and recovery

I once lost a key.

It wasn’t just a technical loss — it felt personal.

I had shared it with others. It was embedded in scripts, commits, infrastructure.

Losing it wasn’t like losing a password. It was like breaking a handshake — and all the people on the other side now had to deal with the fallout.

That’s when I started using subkeys, setting expiration dates, separating roles.

Not because I read it in a guide, but because real trust had been tested — and I wasn’t going to break it twice.

Infrastructure as social contract

We love to say “infrastructure is code.” But I believe infrastructure is relationships.

It’s how you treat the people who access your systems. It’s how you manage keys, renewals, audits — not just to tick boxes, but to maintain clarity.

GPG taught me that every encryption is a message of trust, and every decryption is a responsibility.

When someone shares a secret with you, the tooling should reflect the weight of that act.

Final thoughts

I still use GPG — now with better hygiene, deeper understanding, and more empathy.

I document key flows as if I’m explaining them to the next person I might trust. I automate sharing with password-store, but never skip the human context.

Because behind every gpg --encrypt is a decision: > “You matter. I trust you. Don’t break it.”

— Nuno

gpg security trust devops collaboration