GPG Key Update

From MyWiki

Jump to: navigation, search

Periodically updating cryptographic keys is a proactive security measure to limit exposure to compromise. This page documents a procedure for periodically generating new keys for GnuPG. See also the GPG-HowTo on the TAGPMA TWiki.

First, determine the ID of your current key pair: 

 $ gpg --list-secret-keys
 /Users/jbasney/.gnupg/secring.gpg
 ---------------------------------
 sec   1024D/C88399D9 2007-01-01 [expires: 2008-01-26]
 uid                  Jim Basney <jbasney@ncsa.uiuc.edu>
 ssb   2048g/4F09080A 2007-01-01
 
 $ export OLDKEY=C88399D9

Next, generate your new key pair: 

 $ gpg --gen-key
 Please select what kind of key you want:
    (1) DSA and Elgamal (default)
    (2) DSA (sign only)
    (5) RSA (sign only)
 Your selection? 
 DSA keypair will have 1024 bits.
 ELG-E keys may be between 1024 and 4096 bits long.
 What keysize do you want? (2048) 
 Requested keysize is 2048 bits
 Please specify how long the key should be valid.
          0 = key does not expire
       <n>  = key expires in n days
       <n>w = key expires in n weeks
       <n>m = key expires in n months
       <n>y = key expires in n years
 Key is valid for? (0) 13m
 Key expires at Mon Jan 26 11:28:48 2009 CST
 Is this correct? (y/N) y
 
 You need a user ID to identify your key; the software constructs the user ID
 from the Real Name, Comment and Email Address in this form:
     "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
 
 Real name: Jim Basney
 Email address: jbasney@ncsa.uiuc.edu
 Comment: 
 You selected this USER-ID:
     "Jim Basney <jbasney@ncsa.uiuc.edu>"
 
 Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
 You need a Passphrase to protect your secret key.
 
 We need to generate a lot of random bytes. It is a good idea to perform
 some other action (type on the keyboard, move the mouse, utilize the
 disks) during the prime generation; this gives the random number
 generator a better chance to gain enough entropy.
 gpg: key 19209234 marked as ultimately trusted
 public and secret key created and signed.
 
 pub   1024D/19209234 2008-01-02 [expires: 2009-01-26]
       Key fingerprint = 0610 7A41 F3C0 32AF 37F9  75A9 C0DC 317D 1920 9234
 uid                  Jim Basney <jbasney@ncsa.uiuc.edu>
 sub   2048g/F66483A5 2008-01-02 [expires: 2009-01-26]
 
 $ export NEWKEY=19209234

Next, use your old key to sign your new key: 

 $ gpg --default-key $OLDKEY --sign-key $NEWKEY
 
 pub  1024D/19209234  created: 2008-01-02  expires: 2009-01-26  usage: CS  
                      trust: ultimate      validity: ultimate
 sub  2048g/F66483A5  created: 2008-01-02  expires: 2009-01-26  usage: E   
 [ultimate] (1). Jim Basney <jbasney@ncsa.uiuc.edu>
 
 
 pub  1024D/19209234  created: 2008-01-02  expires: 2009-01-26  usage: CS  
                      trust: ultimate      validity: ultimate
  Primary key fingerprint: 0610 7A41 F3C0 32AF 37F9  75A9 C0DC 317D 1920 9234
 
      Jim Basney <jbasney@ncsa.uiuc.edu>
 
 This key is due to expire on 2009-01-26.
 Are you sure that you want to sign this key with your
 key "Jim Basney <jbasney@ncsa.uiuc.edu>" (C88399D9)
 
 Really sign? (y/N) y
 
 You need a passphrase to unlock the secret key for
 user: "Jim Basney <jbasney@ncsa.uiuc.edu>"
 1024-bit DSA key, ID C88399D9, created 2007-01-01
 
 $ gpg --list-sigs $NEWKEY
 pub   1024D/19209234 2008-01-02 [expires: 2009-01-26]
 uid                  Jim Basney <jbasney@ncsa.uiuc.edu>
 sig 3        19209234 2008-01-02  Jim Basney <jbasney@ncsa.uiuc.edu>
 sig          C88399D9 2008-01-02  Jim Basney <jbasney@ncsa.uiuc.edu>
 sub   2048g/F66483A5 2008-01-02 [expires: 2009-01-26]
 sig          19209234 2008-01-02  Jim Basney <jbasney@ncsa.uiuc.edu>

Export your new key and publish it on your home page: 

 $ gpg --export -a $NEWKEY > pgp.asc

Also publish your new key to https://keyserver.pgp.com/.

Now submit your new key to the key servers: 

 $ gpg --keyserver pgp.mit.edu --send-keys $NEWKEY
 gpg: sending key 19209234 to hkp server pgp.mit.edu

Generate a revocation certificate in case you lose your private key and need to revoke your key pair: 

 $ gpg --output ~/.gnupg/revoke-$NEWKEY.asc --gen-revoke $NEWKEY
 
 sec  1024D/19209234 2008-01-02 Jim Basney <jbasney@ncsa.uiuc.edu>
 
 Create a revocation certificate for this key? (y/N) y
 Please select the reason for the revocation:
   0 = No reason specified
   1 = Key has been compromised
   2 = Key is superseded
   3 = Key is no longer used
   Q = Cancel
 (Probably you want to select 1 here)
 Your decision? 0
 Enter an optional description; end it with an empty line:
 > 
 Reason for revocation: No reason specified
 (No description given)
 Is this okay? (y/N) y
 
 You need a passphrase to unlock the secret key for
 user: "Jim Basney <jbasney@ncsa.uiuc.edu>"
 1024-bit DSA key, ID 19209234, created 2008-01-02
 
 ASCII armored output forced.
 Revocation certificate created.
 
 Please move it to a medium which you can hide away; if Mallory gets
 access to this certificate he can use it to make your key unusable.
 It is smart to print this certificate and store it away, just in case
 your media become unreadable.  But have some caution:  The print system of
 your machine might store the data and make it available to others!

Finally, update your GnuPG applications to use your new key pair.

  • For the GnuPG command-line, set the default-key option in ~/.gnupg/gpg.conf: 
 default-key 19209234
  • For emacs mailcrypt, set the mc-gpg-user-id option in ~/.emacs: 
 (setq mc-gpg-user-id "19209234")
  • For Thunderbird Enigmail, set the Use specific OpenPGP key ID option via Tools -> Account Settings -> OpenPGP Security.
Retrieved from "http://mywiki.ncsa.uiuc.edu/wiki/GPG_Key_Update"
Personal tools