GPG Keypairs
A GPG keypair stores an ASCII-armoured GPG public key and private key pair. Both halves are encrypted at rest and delivered to your containers as separate files.
A GPG keypair stores an ASCII-armoured GPG public key and private key pair. Both halves are encrypted at rest and delivered to your containers as separate files.
When to use a GPG keypair
- Your application signs artifacts, packages, or commits with a GPG key
- You verify signatures produced by a third party and need the public key on disk
- A release pipeline signs container images or SBOMs before publishing
- You encrypt or decrypt data at the application layer using GPG
What Bahriya stores
When you upload a GPG keypair, Bahriya parses it and stores metadata alongside the encrypted material:
| Field | Description |
|---|---|
| Key ID | The short key ID extracted from the public key |
| Fingerprint | Full fingerprint for verification |
| Algorithm | Key algorithm (RSA, DSA, EdDSA, etc.) and key size |
| User ID | The UID embedded in the key (e.g. deploy@example.com) |
| Expires | Key expiry date, shown as a countdown badge in the console |
This metadata is visible in list views and detail pages so you can spot expiring keys at a glance.
Mounting in containers
When you attach a GPG keypair to a container, you choose a mount path. The key files appear as:
<mount-path>/public_key # The public key (ASCII-armoured)
<mount-path>/private_key # The private key (ASCII-armoured)Your application reads them from these paths. For example, a signing service might reference /etc/gpg/public_key and /etc/gpg/private_key.
Rotation
Rotation creates a new version of the keypair. The previous version is retained for rollback. After rotation:
- File-mounted containers pick up the new keys automatically within about 60 seconds. No manual action needed.
- If you need to force a restart, use the Redeploy button on the Consumers panel.
Pricing
GPG keypairs are billed at $0.02 per month while they exist, plus $0.02 per region per month when attached to a project.