Passphrases, keys and certificates

Posted on 29 2026

Everything in this series depends on secrets. Passphrases that unlock encrypted storage. SSH keys that authenticate you to remote servers. TLS certificates that establish trust between services. A Yubikey that acts as a hardware root of trust for all of the above. Before any of the interesting infrastructure gets built, it is worth understanding what these things are, how they relate to each other, and how to manage them without either losing them or exposing them.

This is the section most people are tempted to skim. That is a mistake. A weak passphrase on an SSH key undermines everything that key protects. A certificate stored carelessly is a certificate that can be stolen. The secrets layer is foundational, and foundational things deserve careful attention.

The three types of secret

These terms get used interchangeably in the wild, which causes confusion. They are not the same thing.

Passphrases are human-memorable secrets, the thing you type. They protect other secrets at rest. A passphrase encrypts a private key so that the key file on disk is useless without it. A strong passphrase is long, random, and stored in a password manager rather than your head.

Keys are cryptographic key pairs: a private key that stays on your machine and a public key that you can share freely. SSH keys authenticate you to servers. PGP keys sign and encrypt communications. The private half of a key pair is typically protected by a passphrase.

Certificates are public keys with a signature attached. The signature comes from a Certificate Authority (CA) and asserts that the public key belongs to a particular entity. Certificates are how services establish trust with each other. When your browser trusts an HTTPS connection, it is trusting the certificate chain back to a root CA it already knows about. In this network, that root CA is one you control.

Passphrases protect keys. Keys prove identity. Certificates establish trust. Each layer depends on the one below it.

What this section covers

  • Passphrases — What makes a passphrase strong, and how to generate and store them properly
  • Keys — SSH key pairs, PGP keys, and how to manage them on a Kubuntu desktop
  • Certificates — How TLS certificates work and how they fit into the private CA built later in this series
  • KWallet — The KDE Plasma secrets store, and how to configure it to work seamlessly with the rest of the desktop
  • KeePassXC — A local, encrypted password database for passphrases and credentials that should never leave your machine
  • OpenPGP — GnuPG configuration, key management, and integration with your mail client
  • Yubikey — Hardware security key setup for SSH authentication, PGP, and two-factor authentication

A note on KWallet vs Gnome Keyring

The source material this series is based on references Gnome Keyring as the desktop secrets store. On Kubuntu, the equivalent is KWallet. The underlying function is identical: a system-level secrets store that applications can use to save and retrieve credentials without storing them in plaintext. The configuration is different, and the integration points with KDE applications are naturally tighter. This section covers KWallet rather than Gnome Keyring throughout.

KWallet is enabled by default on Kubuntu and will prompt you to set it up on first login. The default configuration is reasonable but worth reviewing, particularly around auto-unlock behaviour and which applications are granted access. That is all covered in the KWallet section.

Before you continue

Two things worth having in place before working through this section. First, decide on your password manager. KeePassXC is the recommendation here: open source, local-first, no sync service required, and well maintained. If you are already using something else and happy with it, that is fine, but the documentation in this section assumes KeePassXC.

Second, if you have a Yubikey, have it to hand. The Yubikey section is towards the end of this chapter but it touches everything that comes before it. Knowing you have one, and roughly what you want to use it for, will inform some of the decisions made earlier.