I know I’m a little late with this, but I want to renew GPG key and change it from DSA to RSA. The length of my ElGamal key is 1024, which is not that good for todays standard. When searching on Planet Debian, I found some few HowTos, especially that by Ana Guerrero.
Are there any other tips or caveats than those mentioned in her blog? Is an RSA key with a length of 4096 state of the art at the moment? Is it acceptable to send the new key sign (and maybe encrypted) to all those that already had signed my old key to get the new key signed?
Comments are welcome, dear Lazy Web!
5 thoughts on “Changing/Renewing GPG key procedure?”
Debian keyring maintainers,
Debian keyring maintainers, also quoting Ana: http://keyring.debian.org/creating-key.html
dkg’s helpful notes: http://www.debian-administration.org/users/dkg/weblog/48
(I migrated with the help of Ana’s and dkg’s howtos, plus the detail about caff that’s linked somewhere)
bubulle documented his
bubulle documented his transition and pointed towards zack’s version in his blog.
There is also URL:
There is also URL: http://keyring.debian.org/creating-key.html, though that also references Ana’s blog as what they are based on.
“Best” key lengths are always
“Best” key lengths are always highly discussed…
gpg (per default) does not support lengths > 4096…
There is IMHO no single good argument against using 4096 for the primary key (well except you want to use it on some gpg card or so)…
You can (and should) create signing keys which may be smaller (and therefore perhaps faster in use)… while the primary is only used for key signing.
Ana’s post is the reference we all use, and what we have incorporated in keyring-maint’s pages. My hat off to her. Although I’m still speaking with my hat on.
As for getting people to sign your new key: I don’t like this, but it is just my personal preference… Several people have prepared transition documents when changing their keys. Transition documents usually include:
So, some people will reply to your request by signing the new key. Once again, I don’t like it and would prefer all signatures to be exchanged in person — But OTOH, if your old key has not been in any way compromised, and if new signatures are sent directly to you (i.e. using caff), the risk of an attacker getting a signature this way is very low.
Comments are closed.