Security

PGP / GPG keys

Verify our warrant canary, send encrypted security disclosures, or verify signed releases. ServerCrate security-sensitive communications use the team key below.

Team key

security@servercrate.net

Download ASCII-armored key
Fingerprint
AAB2 A06A E5F9 187B 9565
4584 C1B0 7D4D F41C B15F
Key ID
0xC1B07D4DF41CB15F
Algorithm
RSA 4096, sign + certify
Created
2026-05-11
Expires
2028-05-10

Verify before you trust

Anyone can host a file claiming to be a PGP key. Trust the key only when the fingerprint matches across independent sources.

  1. Import the key

    curl -sL https://servercrate.net/pgp/servercrate-team.asc \
  | gpg --import

  2. Verify the fingerprint

    gpg --fingerprint security@servercrate.net

    The output must match AAB2 A06A E5F9 187B 9565 4584 C1B0 7D4D F41C B15F character-for-character. One wrong hex pair means it is a different key.

  3. Confirm across independent channels

    The same fingerprint must appear on all three:

    • This page: servercrate.net/pgp/
    • Our warrant canary: servercrate.net/warrant-canary/
    • Our GitHub: github.com/servercrate

    If any source disagrees, do not trust the key. Open a ticket from a known-good channel and ask for confirmation.

What this key signs

  • Warrant canary Quarterly truth statements with a verifiable signature chain.
  • Security advisories Vulnerability disclosures, postmortems, breach notifications, and trust-impacting notices.
  • Release artifacts restic-toolkit binaries, open-source tags, signed deployment manifests, and operational artifacts.
  • Email from security@ Outbound replies from security@servercrate.net are signed by default.

Send us encrypted mail

For security disclosures, account-recovery edge cases, or anything you do not want to send in cleartext, encrypt the message to the team key. 

# Encrypt a message inline
echo "Your message" | gpg --encrypt --armor \
  --recipient security@servercrate.net

# Encrypt a file
gpg --encrypt --armor --recipient security@servercrate.net report.pdf

# Then email the ciphertext or .asc/.gpg file to security@servercrate.net

If you have WKD set up, you can skip the manual download:

gpg --auto-key-locate clear,wkd --locate-keys security@servercrate.net

Responses are signed by the same key. Do not expect a plaintext reply to anything sent encrypted. We will reply encrypted too.

Key rotation policy

The team key expires 2028-05-10. A new key is announced 30 days before rotation through:

  1. An advisory signed by the outgoing key naming the incoming key's fingerprint.
  2. A public post linked from the homepage.
  3. A rotation notice embedded in the next quarterly canary signing.

Rule: if the new fingerprint is not signed by the old key, do not trust the new key. Contact security@servercrate.net from a known-good channel.

Key structure

The team key uses a master-key / subkey pattern.

Master key

RSA 4096 sign + certify

Signs the canary, releases, and advisories. Certifies subkey rotations. Stored offline after generation.

Encryption subkey

RSA 4096 encrypt only

Decrypts incoming security mail. Rotatable without changing the master key fingerprint you already trusted.