On 05/14/2015 06:04 PM, Alfredo Palhares wrote:
I've been doing some reading[1]
I would note that this document is obsolete on several points.* First and foremost, it suggests using GnuPG 1.4. Even in 2013, there were already no reason to prefer that version over GnuPG 2.0; a fortiori there is no reason today to prefer it over GnuPG 2.1. Actually, “creating the perfect GPG keypair” is much easier with Modern GnuPG.
* I also disagree with the advice of always “using the highest possible values for key length”, although I reckon that this point is controversial [1]. I’d rather stick to 2048-bit for the subkeys (they can be changed at anytime, if we were to learn that attacks on 2048-bit RSA become practical), even if I do recommend 4096-bit for the *master* key only.
* There is no more need to “strengthen hash preferences”.* GnuPG 2.1 already creates a revocation certificate (stored in ~/.gnupg/openpgp-revocs.d) when creating a new key pair.
* With GnuPG 2.1 removing the master private key from the keyring is now much easier, as you don’t need to go through the whole process of exporting the private subkeys, deleting all the private keys, then importing back the subkeys only.
Instead, get the “keygrip” of your master key: $ gpg2 --with-keygrip -K /home/alice/.gnupg/pubring.kbx ------------------------------ sec rsa4096/CB2F38F25B491A54 2014-12-31 [SC] [expires: 2017-12-30] Keygrip = D4DF0C35D3E22FA6AC37DA2E54FB03F73616A3CB uid [ultimate] Alice <al...@example.org> […]You will find the file containing the private key in ~/.gnupg/private-keys-v1.d/KEYGRIP.key. Move this file to any secure place you want. When you will need your private master key, just put the file back in the private-keys-v1.d directory (do not change its name).
- How do you store your master GPG key offline ?
I’ve splitted it in 2-of-3 shares using libgfshare [2]. One share is left on my computer, the other two are offline on two USB sticks.
- Comming from another email and GPG what would be the best method to prove I am the person that used masterk...@masterkorp.net email and X key id ?
You could either: * sign your new keypair with your old key;* write a transition statement and sign it with both your old and your new key.
[1] http://wiki.gnupg.org/LargeKeys [2] http://www.digital-scurf.org/software/libgfshare
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users