RSA keys for encryption and in general DSA/RSA/ElGamal-keypairs
atom at suspicious.org
Fri Jun 18 08:39:11 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
On Fri, 18 Jun 2004, Ulrich Schneider wrote:
> Thanks, that was very helpful.
> Besides ... is there a doku how to replace the enc. key with another
> enc. key of higher key length when you want to have the same signature
you want to keep the (primary) signing key, and replace an encryption
subkey with something bigger?
you can create a new encryption (sub)key using "--edit-key", "addkey".
you have three options for what to do with the old key:
1) leave it. the default gpg behavior is to use the newest key it can
find. this means that your new key will be used when a gpg user encrypts a
message to you, and the old key will be ignored. i have no idea which
encryption subkey would be used by other pgp applications: if someone is
sending you an encrypted message, and they use MIT-PGP or PGPi, it ~might~
use the old encryption subkey... i don't know...
2) revoke it. in the edit-key menu, select the old key and "revkey".
that subkey still exists, and can be used to decrypt previously encrypted
messages, but anyone with a current copy of the key will not be able to
use that subkey for encryption.
3) delete it. in the edit-key menu, select the old key and "delkey".
that subkey no longer exists and can not be used to encrypt (or decrypt!!)
option #3 could be dangerous: you will not be able to read messages
encrypted with that subkey. if someone has on older copy of your key
(before you delete that subkey), they can encrypt a message to that subkey
and you will have no way to decrypt it. if your key has *NOT* been
circulated, then deleting the key might be a nice option; if/when you do
put your key into circulation, it won't have an unnecessary subkey in it.
i would recommended options #1 or #2 if your key is in circulation. anyone
could have an old copy of your key, and encrypt a message to a subkey that
is no longer current (but they might not know it). in either case, you
*will* be able to decrypt the message.
if you don't have any signatures on your key, and it's not widely used in
public, you might consider just creating a new key from scratch... make it
as big as you want.
PGP key - http://atom.smasher.org/pgp.txt
762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808
"Proprietary software seeks to maximize its value
solely in monetary terms by achieving a monopoly.
Open Source software maximizes its value by assuring
that a monopoly cannot be achieved."
-- Mark Webbink, Senior Vice President and
General Counsel of Red Hat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.3.6 (FreeBSD)
Comment: What is this gibberish?
-----END PGP SIGNATURE-----
More information about the Gnupg-users