Dear GnuPG users, As part of the ResetTheNet campaign I decided to start using email encryption. I am a relatively new user of gpg, who is looking forward to using it for secure communication. Currently I am trying to generate a new PGP key by following some good/best practices. I have done some research into the matter, and I managed to gather some knowledge about the whole process. Still there are some details that I am unsure about. I've read the GnuPG manual, the man page, the handbook, and various other articles online. In particular these two were most interesting and helpful:
https://we.riseup.net/riseuplabs+paow/openpgp-best-practices https://alexcabal.com/creating-the-perfect-gpg-keypair Based on what I know so far I managed to come up with the following steps. - Boot a recent live linux CD on an unrelated computer - Create a 4096-bit RSA certification key with unlimited expiry - Add a 4096-bit RSA encryption subkey with 5 year expiry - Add a 4096-bit RSA signing subkey with 5 year expiry - Export the master keypair (pub + priv key) to an encrypted USB stick - Generate a revocation key, put it on the encrypted USB stick - Put the resulting USB stick somewhere safe, maybe back it up too - Remove the master private key from the keyring (not the private subkeys) - Export the public key, and the laptop private key to another USB stick - Power off the laptop to erase RAM - Import the laptop key into my laptop's GnuPG keyring for daily use - Upload the public key to a keyserver - Get some key signatures - Sign some other public keys (will need master key for this) And my gpg.conf (on the PC where the key is generated as well as on the laptop) looks like this: -------------------------------------------------- # Keyserver settings keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options no-honor-keyserver-url ca-cert-file=/etc/ca-certificates/sks-keyservers.netCA.pem # Display options no-greeting no-emit-version fixed-list-mode keyid-format 0xlong with-fingerprint verify-options show-uid-validity list-options show-uid-validity sig-notation issuer-...@notations.openpgp.fifthhorseman.net=%g # Ciphers, hashes, stuff personal-digest-preferences SHA512 SHA384 SHA256 SHA224 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed cert-digest-algo SHA512 # Misc use-agent -------------------------------------------------- Now I have a few questions about the above procedure. A) Is my key generation procedure okay? Am I missing any critical steps? I mostly followed one of the articles I linked above. Are these keys (with additional signing subkey) compatible with other OpenPGP software? B) Are my gpg.conf settings ok? Am I missing any important options? Would you add/remove any? Change any? C) What is the purpose of this line "sig-notation issuer-...@notations.openpgp.fifthhorseman.net=%g" in the config file? I can't seem to understand it. Why was it proposed? Is it compatible? D) While reading the GnuPG manual I came across some missing options that I *might* want to add. These were not proposed in the article. Should I add any of the following options to the config file, and what should I set them to? cert-notation personal-cipher-preferences s2k-cipher-algo s2k-digest-algo E) I noticed this: cert-digest-algo SHA512 The GnuPG 2 manual (pg. 51) warns that if this is set to a value that other OpenPGP implementations don't support, some users will be unable to use my key signatures. Personally I don't mind using strong hashes, but is this going to be a problem? I have no idea what other OpenPGP implementations support. GnuPG is the only one I know about. F) I like twofish. Should I add it to the list of my personal preferences? G) I have read some complaints from users about keys that use long signature hashes like sha512. In particular this makes emails difficult to read because some discussions can get crowded with long signatures, which is rather irritating to read and navigate. Is it possible to use sha256 for email signatures, and sha512 for everything else i.e. signing files. I use Thunderbird with Enigmail on Linux. H) Is it okay to generate PGP keys on a live linux CD? I mean is there sufficient entropy present? What can I do to introduce some more noise into the system? Some tutorials suggest moving the mouse, others tell me to use IO-heavy tasks i.e. the "find" command. Comments? There. That's about everything I came up with. Hopefully we can clear up the confusion, and I am looking forward to using GnuPG. I would like to thank you in advance for any answers, hints, comments, suggestions and advice. Best regards, Thomas _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users