GPG Authentication Guide
GPG (GNU Privacy Guard) is an open-source implementation of the OpenPGP standard. It allows you to authenticate with OwnBlock using asymmetric cryptography — no email, no password, no personal data.
1. What is GPG?
GPG uses public-key cryptography. Each user holds a key pair: a private key that only you possess, and a public key that you can share freely. The private key signs messages; anyone can verify that signature using the corresponding public key.
Each key has a fingerprint — a 40-character hexadecimal hash that uniquely identifies it. In OwnBlock, your fingerprint IS your identity. It is not linked to any personal data unless you explicitly included it when generating the key.
2. Why use GPG to sign in
- No email required: you do not need to reveal any personal identifier.
- Sovereign identity: your GPG key lives on your machine, not on any server.
- Cryptographic proof: each login is a unique signature over a one-time challenge — it cannot be replayed or forged without your private key.
- Hardware compatible: works with YubiKey, Nitrokey, and other OpenPGP cards. The private key never leaves the device.
- Auditable: the protocol is fully transparent.
Privacy implication: if you generate a dedicated key for OwnBlock with a pseudonym or blank email, there is no link to your real identity. If you reuse an existing key published on public keyservers with your real name, that association is public.
3. Installation
Linux (Debian / Ubuntu):
sudo apt install gnupg
Linux (Fedora / RHEL):
sudo dnf install gnupg2
macOS — option A (Homebrew):
brew install gnupg
macOS — option B: GPG Suite (includes GUI)
Windows: Gpg4win — installs GnuPG, Kleopatra (GUI) and the required plugins.
Verify installation:
gpg --version
4. Generating your key pair
Run:
gpg --full-generate-key
- Key type: select
ECC (sign and encrypt)→Curve 25519(Ed25519). Alternative: RSA with 4096 bits. - Expiry: 1-2 years recommended (
1yor2y). You can extend validity before it expires. A key with no expiry can never be invalidated if you lose control of it. - Name and email: you can use a pseudonym and leave the email blank. If anonymity is a priority, do not use real data.
- Passphrase: mandatory. Protects the private key on disk. Use a long, random passphrase. Without it, anyone with access to the file can use your key.
5. Getting your fingerprint and public key
List your keys:
gpg --list-keys --keyid-format LONG
The fingerprint appears under the pub line as a 40-character hex string (may be grouped in sets of 4). The short Key-ID (last 8 chars) is used for quick reference.
Export your public key (this is what you paste in OwnBlock):
gpg --armor --export YOUR_FINGERPRINT
Replace YOUR_FINGERPRINT with your full fingerprint without spaces (40 chars) or the last 8 characters of the Key-ID.
6. Signing in to OwnBlock with GPG
- Go to /login and select the GPG key tab.
- Enter your alias and (if registering) your public key. Click Get challenge.
- Save the challenge payload to a file and sign it with the command below.
- Paste the armoured signature (content of challenge.json.asc) in the signature field.
- Click Verify and sign in.
Sign with default key:
echo -n 'CHALLENGE_PAYLOAD' > challenge.json gpg --armor --detach-sign challenge.json cat challenge.json.asc
Sign with a specific key:
echo -n 'CHALLENGE_PAYLOAD' > challenge.json gpg --armor --detach-sign --default-key YOUR_FINGERPRINT challenge.json cat challenge.json.asc
The output will be a -----BEGIN PGP SIGNATURE----- block. Copy and paste the entire block, including the headers and signature footer.
7. Security and backups
Generate a revocation certificate immediately after creating the key:
gpg --gen-revoke YOUR_FINGERPRINT > revoke.asc
Store revoke.asc in a safe, offline location. This file allows you to invalidate the key if it is lost or compromised.
Back up your private key:
gpg --armor --export-secret-keys YOUR_FINGERPRINT > private-key-backup.asc
Store private-key-backup.asc on an encrypted offline medium (encrypted USB, laminated paper in a safe location). NEVER share this file.
Without a backup of your private key AND without recovery codes, loss of access is permanent and unrecoverable. There is no additional recovery mechanism. This is by design.
Recovery codes are a second backup layer independent of the private key. If you lose access to your GPG key but still have your recovery codes, you can still access your account. See the "Recovery Codes" section below.
8. Hardware keys (advanced)
Devices such as YubiKey (series 5 or higher) and Nitrokey implement the OpenPGP Card specification. The private key is generated inside the chip and can never be exported. GPG interacts with the device automatically through the gpg-agent.
The signing command is identical:
echo -n 'CHALLENGE_PAYLOAD' > challenge.json gpg --armor --detach-sign challenge.json cat challenge.json.asc
The device will request a touch confirmation and the signature is produced in hardware. The private key is never exposed in memory.
To configure GPG with YubiKey: Official Yubico documentation.
9. Recovery codes
When you create an account with GPG, OwnBlock automatically generates 5 recovery codes. These codes are shown only once at account creation and cannot be retrieved afterwards.
Each code has the format: AAAAAAAA-BBBBBBBB-CCCCCCCC-DDDDDDDD (4 groups of 8 characters).
Use case: if you lose your GPG key or the device where it is stored, recovery codes are the only way to regain access to your account.
After using a recovery code, go to Settings and generate a new set of 5 codes.
Without your GPG key AND without recovery codes, the account is permanently and irrecoverably inaccessible. Store the recovery codes in a safe, offline location at account creation time.
10. Account lifecycle
OwnBlock accounts are automatically deleted after 7 days of inactivity. The 7-day counter resets with every successful login — it only affects users who do not log in for 7 consecutive days.
Why this policy exists: OwnBlock accounts exist exclusively to (1) create hashrate rental orders, (2) manage Telegram notification preferences, and (3) access the support ticket service. There is no social profile, no saved payment method, no history beyond active orders. An inactive account means the user is simply not using any of these services — keeping it would only consume resources without purpose.
Practical implication: if you return to the platform after more than 7 days without logging in, you will need to create a new account. You can use the same GPG key — you will only need to choose a new alias.