New user needs some help
suspekt at gmx.de
Thu Jun 5 11:44:49 CEST 2014
I just commented on things that I think you may change. I am no
GPG-Master though. Note that there are people on this list with far more
expertise than I have.
Am 05.06.2014 09:26, schrieb Cpp:
> - Create a 4096-bit RSA certification key with unlimited expiry
Set an expiration date. You can extend it any time, even after it has
expired. In a worst case situation (keys and backups are lost) the key
will not be valid for eternity.
> - Generate a revocation key, put it on the encrypted USB stick
Store the revocation certificate separately. Again, in a worst case (Key
lost, backup lost) you can still revoke using the certificate. Some
people print it out and store it at at their bank/safe place.
> And my gpg.conf (on the PC where the key is generated as well as on
> the laptop) looks like this:
> # Keyserver settings
> keyserver hkps://hkps.pool.sks-keyservers.net
Dont know which OS you are using but this won't work if you're using
Gpg4win on windows. It cant handle the hkps protocol.
> cert-digest-algo SHA512
This will you incompatibility with many (I think all) versions of PGP.
Maybe its not relevant to you if you mainly communicate with people
> A) Is my key generation procedure okay? Am I missing any critical
> steps? I mostly followed one of the articles I linked above. Are these
> keys (with additional signing subkey) compatible with other OpenPGP
> C) What is the purpose of this line "sig-notation
> issuer-fpr at notations.openpgp.fifthhorseman.net=%g" in the config file?
> I can't seem to understand it. Why was it proposed? Is it compatible?
I'm not sure about this option and I don't really know what it means.
Just leave it out.
> E) I noticed this: cert-digest-algo SHA512
> The GnuPG 2 manual (pg. 51) warns that if this is set to a value that
> other OpenPGP implementations don't support, some users will be unable
> to use my key signatures. Personally I don't mind using strong hashes,
> but is this going to be a problem? I have no idea what other OpenPGP
> implementations support. GnuPG is the only one I know about.
There are commercial implementations. The most known is probably PGP
(The Original Software created by Phil Zimerman). Check it at Wikipedia.
> F) I like twofish. Should I add it to the list of my personal preferences?
Why not? If your GPG version supports it. Check with "gpg --version"
> G) I have read some complaints from users about keys that use long
> signature hashes like sha512. In particular this makes emails
> difficult to read because some discussions can get crowded with long
> signatures, which is rather irritating to read and navigate. Is it
> possible to use sha256 for email signatures, and sha512 for everything
> else i.e. signing files. I use Thunderbird with Enigmail on Linux.
Don't know, just use PGP/MIME instead of PGP/Inline. This will keep the
hash separated from the text.
> H) Is it okay to generate PGP keys on a live linux CD? I mean is there
> sufficient entropy present? What can I do to introduce some more noise
> into the system? Some tutorials suggest moving the mouse, others tell
> me to use IO-heavy tasks i.e. the "find" command. Comments?
I would say it's best practice to use linux live cd and stay offline!
Move the mouse, open a texfile and beat your keyboard :) GPG will tell
you if there is not enough entropy.
More information about the Gnupg-users