Creating a new Identity

Damien Goutte-Gattat dgouttegattat at
Thu May 14 21:00:33 CEST 2015

On 05/14/2015 06:04 PM, Alfredo Palhares wrote:
> I've been doing some reading[1]

I would note that this document is obsolete on several points.

* First and foremost, it suggests using GnuPG 1.4. Even in 2013, there 
were already no reason to prefer that version over GnuPG 2.0; a fortiori 
there is no reason today to prefer it over GnuPG 2.1. Actually, 
“creating the perfect GPG keypair” is much easier with Modern GnuPG.

* I also disagree with the advice of always “using the highest possible 
values for key length”, although I reckon that this point is 
controversial [1]. I’d rather stick to 2048-bit for the subkeys (they 
can be changed at anytime, if we were to learn that attacks on 2048-bit 
RSA become practical), even if I do recommend 4096-bit for the *master* 
key only.

* There is no more need to “strengthen hash preferences”.

* GnuPG 2.1 already creates a revocation certificate (stored in 
~/.gnupg/openpgp-revocs.d) when creating a new key pair.

* With GnuPG 2.1 removing the master private key from the keyring is now 
much easier, as you don’t need to go through the whole process of 
exporting the private subkeys, deleting all the private keys, then 
importing back the subkeys only.

Instead, get the “keygrip” of your master key:

    $ gpg2 --with-keygrip -K
    sec   rsa4096/CB2F38F25B491A54 2014-12-31 [SC] [expires: 2017-12-30]
          Keygrip = D4DF0C35D3E22FA6AC37DA2E54FB03F73616A3CB
    uid               [ultimate] Alice <alice at>

You will find the file containing the private key in 
~/.gnupg/private-keys-v1.d/KEYGRIP.key. Move this file to any secure 
place you want. When you will need your private master key, just put the 
file back in the private-keys-v1.d directory (do not change its name).

> - How do you store your master GPG key offline ?

I’ve splitted it in 2-of-3 shares using libgfshare [2]. One share is 
left on my computer, the other two are offline on two USB sticks.

> - Comming from another email and GPG what would be the best method to prove I am
>    the person that used masterkorp at email and X key id ?

You could either:

* sign your new keypair with your old key;

* write a transition statement and sign it with both your old and your 
new key.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150514/38411e17/attachment-0001.sig>

More information about the Gnupg-users mailing list