You are here

Changing/Renewing GPG key procedure?

I know I'm a little late with this, but I want to renew GPG key and change it from DSA to RSA. The length of my ElGamal key is 1024, which is not that good for todays standard. When searching on Planet Debian, I found some few HowTos, especially that by Ana Guerrero.

Are there any other tips or caveats than those mentioned in her blog? Is an RSA key with a length of 4096 state of the art at the moment? Is it acceptable to send the new key sign (and maybe encrypted) to all those that already had signed my old key to get the new key signed?

Comments are welcome, dear Lazy Web!

Kategorie: 
 

Comments

Debian keyring maintainers, also quoting Ana: http://keyring.debian.org/creating-key.html

dkg's helpful notes: http://www.debian-administration.org/users/dkg/weblog/48

(I migrated with the help of Ana's and dkg's howtos, plus the detail about caff that's linked somewhere)

bubulle documented his transition and pointed towards zack's version in his blog.
http://www.perrier.eu.org/weblog/2010/10/10#gpg-transition

There is also URL: http://keyring.debian.org/creating-key.html, though that also references Ana's blog as what they are based on.

"Best" key lengths are always highly discussed...
gpg (per default) does not support lengths > 4096...

There is IMHO no single good argument against using 4096 for the primary key (well except you want to use it on some gpg card or so)...

You can (and should) create signing keys which may be smaller (and therefore perhaps faster in use)... while the primary is only used for key signing.

<hat class="keyring-maint">
Ana's post is the reference we all use, and what we have incorporated in keyring-maint's pages. My hat off to her. Although I'm still speaking with my hat on.

As for getting people to sign your new key: I don't like this, but it is just my personal preference... Several people have prepared transition documents when changing their keys. Transition documents usually include:

  • Full fingerprint for your old and new keys
  • Reason for the key replacement
  • Are signed by both keys
  • Request signers of your old key to sign the new one

So, some people will reply to your request by signing the new key. Once again, I don't like it and would prefer all signatures to be exchanged in person — But OTOH, if your old key has not been in any way compromised, and if new signatures are sent directly to you (i.e. using caff), the risk of an attacker getting a signature this way is very low.

Your call.

</hat>

Pages

Add new comment

Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer