I wanted to renew my GPG key for some time and after reading the latest news, I finally have generated a new key today.

pub 4096R/6AA15948 2009-05-10 Key fingerprint = 7A33 ECAA 188B 96F2 7C91 7288 B346 4F89 6AA1 5948 uid Ana Beatriz Guerrero López <ana@ekaia.org> uid Ana Beatriz Guerrero López <ana@debian.org> sub 4096R/2497B8B2 2009-05-10



Since I tend to forget this stuff, I am blogging all the steps I have followed.

Long and verbose post follows...



Update .gnupg/gpg.conf

Add at the end of the file:

personal-digest-preferences SHA256 cert-digest-algo SHA256 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

Create key

Update September'2009: If you are using gnupg 1.4.0 or higher, the options have changed. You can select directly the option (1) RSA and RSA (default) , then you also create a subkey for encryption at the same time you create your new key and you can skip the “Add subkey for encryption” step.

ana@pryan:~$ gpg --gen-key ... Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 5 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y ... Real name: Ana Beatriz Guerrero López Email address: ana@ekaia.org Comment: You are using the `utf-8' character set. You selected this USER-ID: "Ana Beatriz Guerrero López <ana@ekaia.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. ... gpg: key 6AA15948 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb ... gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u pub 4096R/6AA15948 2009-05-10 Key fingerprint = 7A33 ECAA 188B 96F2 7C91 7288 B346 4F89 6AA1 5948 uid Ana Beatriz Guerrero López <ana@ekaia.org> Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose.

Add other UID

ana@pryan:~$ gpg --edit-key 0x6AA15948 ... command> adduid Real name: Ana Beatriz Guerrero López Email address: ana@debian.org Comment: You are using the `utf-8' character set. You selected this USER-ID: "Ana Beatriz Guerrero López <ana@debian.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a passphrase to unlock the secret key for user: "Ana Beatriz Guerrero López <ana@ekaia.org>" 4096-bit RSA key, ID 6AA15948, created 2009-05-10 pub 4096R/6AA15948 created: 2009-05-10 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1) Ana Beatriz Guerrero López <ana@ekaia.org> [ unknown] (2). Ana Beatriz Guerrero López <ana@debian.org> Command> save

Change preferences

ana@pryan:~$ gpg --edit-key 0x6AA15948 ... Command> showpref [ultimate] (1). Ana Beatriz Guerrero López <ana@debian.org> Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA1, SHA256, RIPEMD160 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify [ultimate] (2) Ana Beatriz Guerrero López <ana@ekaia.org> Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA1, SHA256, RIPEMD160 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify Command> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed Set preference list to: Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify Really update the preferences? (y/N) y gpg: WARNING: no user ID has been marked as primary. This command may cause a different user ID to become the assumed primary. You need a passphrase to unlock the secret key for user: "Ana Beatriz Guerrero López <ana@debian.org>" 4096-bit RSA key, ID 6AA15948, created 2009-05-10 pub 4096R/6AA15948 created: 2009-05-10 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1) Ana Beatriz Guerrero López <ana@debian.org> [ultimate] (2). Ana Beatriz Guerrero López <ana@ekaia.org> Command> showpref [ultimate] (1) Ana Beatriz Guerrero López <ana@debian.org> Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify [ultimate] (2). Ana Beatriz Guerrero López <ana@ekaia.org> Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify Command> save

Set primary UID

ana@pryan:~$ gpg --edit-key 0x6AA15948 ... Command> uid 1 pub 4096R/6AA15948 created: 2009-05-10 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1)* Ana Beatriz Guerrero López <ana@ekaia.org> [ultimate] (2) Ana Beatriz Guerrero López <ana@debian.org> Command> primary You need a passphrase to unlock the secret key for user: "Ana Beatriz Guerrero López <ana@ekaia.org>" 4096-bit RSA key, ID 6AA15948, created 2009-05-10 pub 4096R/6AA15948 created: 2009-05-10 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1)* Ana Beatriz Guerrero López <ana@ekaia.org> [ultimate] (2) Ana Beatriz Guerrero López <ana@debian.org> Command> save

Add subkey for encryption

ana@pryan:~$ gpg --edit-key 0x6AA15948 ... Command> addkey Key is protected. You need a passphrase to unlock the secret key for user: "Ana Beatriz Guerrero López <ana@ekaia.org>" 4096-bit RSA key, ID 6AA15948, created 2009-05-10 Please select what kind of key you want: (2) DSA (sign only) (4) Elgamal (encrypt only) (5) RSA (sign only) (6) RSA (encrypt only) Your selection? 6 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y Really create? (y/N) y ... pub 4096R/6AA15948 created: 2009-05-10 expires: never usage: SC trust: ultimate validity: ultimate sub 4096R/2497B8B2 created: 2009-05-10 expires: never usage: E [ultimate] (1). Ana Beatriz Guerrero López <ana@ekaia.org> [ultimate] (2) Ana Beatriz Guerrero López <ana@debian.org> Command> save

Sign my new key with my old key

ana@pryan:~$ gpg --default-key E8C43461 --sign-key 6AA15948 pub 4096R/6AA15948 created: 2009-05-10 expires: never usage: SC trust: ultimate validity: ultimate sub 4096R/2497B8B2 created: 2009-05-10 expires: never usage: E [ultimate] (1). Ana Beatriz Guerrero López <ana@ekaia.org> [ultimate] (2) Ana Beatriz Guerrero López <ana@debian.org> Really sign all user IDs? (y/N) y pub 4096R/6AA15948 created: 2009-05-10 expires: never usage: SC trust: ultimate validity: ultimate Primary key fingerprint: 7A33 ECAA 188B 96F2 7C91 7288 B346 4F89 6AA1 5948 Ana Beatriz Guerrero López <ana@ekaia.org> Ana Beatriz Guerrero López <ana@debian.org> Are you sure that you want to sign this key with your key "Ana Beatriz Guerrero López <ana@ekaia.org>" (E8C43461) Really sign? (y/N) y You need a passphrase to unlock the secret key for user: "Ana Beatriz Guerrero López <ana@ekaia.org>" 1024-bit DSA key, ID E8C43461, created 2004-12-06 ...

Send new key to key server