Creating a new Identity
dgouttegattat at incenp.org
Thu May 14 21:00:33 CEST 2015
On 05/14/2015 06:04 PM, Alfredo Palhares wrote:
> I've been doing some reading
I would note that this document is obsolete on several points.
* First and foremost, it suggests using GnuPG 1.4. Even in 2013, there
were already no reason to prefer that version over GnuPG 2.0; a fortiori
there is no reason today to prefer it over GnuPG 2.1. Actually,
“creating the perfect GPG keypair” is much easier with Modern GnuPG.
* I also disagree with the advice of always “using the highest possible
values for key length”, although I reckon that this point is
controversial . I’d rather stick to 2048-bit for the subkeys (they
can be changed at anytime, if we were to learn that attacks on 2048-bit
RSA become practical), even if I do recommend 4096-bit for the *master*
* There is no more need to “strengthen hash preferences”.
* GnuPG 2.1 already creates a revocation certificate (stored in
~/.gnupg/openpgp-revocs.d) when creating a new key pair.
* With GnuPG 2.1 removing the master private key from the keyring is now
much easier, as you don’t need to go through the whole process of
exporting the private subkeys, deleting all the private keys, then
importing back the subkeys only.
Instead, get the “keygrip” of your master key:
$ gpg2 --with-keygrip -K
sec rsa4096/CB2F38F25B491A54 2014-12-31 [SC] [expires: 2017-12-30]
Keygrip = D4DF0C35D3E22FA6AC37DA2E54FB03F73616A3CB
uid [ultimate] Alice <alice at example.org>
You will find the file containing the private key in
~/.gnupg/private-keys-v1.d/KEYGRIP.key. Move this file to any secure
place you want. When you will need your private master key, just put the
file back in the private-keys-v1.d directory (do not change its name).
> - How do you store your master GPG key offline ?
I’ve splitted it in 2-of-3 shares using libgfshare . One share is
left on my computer, the other two are offline on two USB sticks.
> - Comming from another email and GPG what would be the best method to prove I am
> the person that used masterkorp at masterkorp.net email and X key id ?
You could either:
* sign your new keypair with your old key;
* write a transition statement and sign it with both your old and your
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 455 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users