Changing/Renewing GPG key procedure?

I know I’m a little late with this, but I want to renew GPG key and change it from DSA to RSA. The length of my ElGamal key is 1024, which is not that good for todays standard. When searching on Planet Debian, I found some few HowTos, especially that by Ana Guerrero.

Are there any other tips or caveats than those mentioned in her blog? Is an RSA key with a length of 4096 state of the art at the moment? Is it acceptable to send the new key sign (and maybe encrypted) to all those that already had signed my old key to get the new key signed?

Comments are welcome, dear Lazy Web!


5 thoughts on “Changing/Renewing GPG key procedure?

  1. “Best” key lengths are always
    “Best” key lengths are always highly discussed…
    gpg (per default) does not support lengths > 4096…

    There is IMHO no single good argument against using 4096 for the primary key (well except you want to use it on some gpg card or so)…

    You can (and should) create signing keys which may be smaller (and therefore perhaps faster in use)… while the primary is only used for key signing.

  2. <hat class=”keyring-maint”>
    Ana’s post is the reference we all use, and what we have incorporated in keyring-maint’s pages. My hat off to her. Although I’m still speaking with my hat on.

    As for getting people to sign your new key: I don’t like this, but it is just my personal preference… Several people have prepared transition documents when changing their keys. Transition documents usually include:

    • Full fingerprint for your old and new keys
    • Reason for the key replacement
    • Are signed by both keys
    • Request signers of your old key to sign the new one

    So, some people will reply to your request by signing the new key. Once again, I don’t like it and would prefer all signatures to be exchanged in person — But OTOH, if your old key has not been in any way compromised, and if new signatures are sent directly to you (i.e. using caff), the risk of an attacker getting a signature this way is very low.

    Your call.


Comments are closed.