Prompted by (a) a new computer, (b) my previous PGP keys being generated about 5 years and a couple of computers ago, (c) using the then-common 1024 bit DSA key size, with SHA-1 (which is now recommended against, especially after recent results) and (d) a keysigning at LCA2010, I've decided to generate new PGP keys with longer bit lengths. And to generate two keys, one for "work" and one for "non work".
My plan is to get these keys signed at one or more keysigning events and then start using them. I still have control over the old key, but in view of the age of the algorithms involved will avoid using it for new signatures other than those on the new keys.
These keys were generated based on instructions pointed at by the LCA2010 keysigning (see also Debian Administration article on generating stronger keys):
Edit ~/.gnupg/gpg.conf and add:
personal-digest-preferences SHA256 cert-digest-algo SHA256 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192
gpg --gen-key
(1) "RSA and RSA (default)" (since I have GPG 1.4.10)
4096 bit key length (default is now 2048, but given how infrequently I use my keys and modern CPUs it seems worth just choosing the maximum figure)
Expires in 6 years time (based on past experience I expect the practical usefulness to be about 5 years, so I'm allowing an extra year to be safe; various abuses of old key/signatures suggest that never expiring keys are probably unwise and rotating keys periodically seems the best policy)
Enter details for user id based on appropriate email address
Enter passphrase (twice)
gpg --edit-key $KEYID
showpref
Verify preferences look something like:
Cipher: AES256, AES192, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZIP, Uncompressed Features: MDC, Keyserver no-modify
I did this twice, once to generate a work key and once to generate a personal key.
Then I signed each key with the other one. For keys in the same secret keyring this means:
gpg --default-key $KEY_ID_TO_SIGN_WITH --edit-key $KEY_ID_TO_SIGN
I also signed each one with my old key (EC1B3839).
For completeness I also generated a revocation certificate for each one now:
gpg --default-key $KEY_ID -a --gen-revoke $KEY_ID
(primarily in case I lose the key material and/or forget the passphrase so I have some way of saying that they key won't be used by me any longer.)
I then wrote the keys and revocation certificates out to a CD for safe keeping.
New Keys
The new keys are:
Work
pub 4096R/586C921A 2010-01-15 [expires: 2016-01-14]
Key fingerprint = EA12 E8CC B219 4B69 27A1 477A FE48 7773 586C 921A
uid Ewen McNeill (Naos Ltd) <ewen@naos.co.nz>
sub 4096R/CE3B20EF 2010-01-15 [expires: 2016-01-14]
Home
pub 4096R/6D59C1C8 2010-01-15 [expires: 2016-01-14]
Key fingerprint = 87F2 0ECA AB94 2370 35E8 C65D 63F1 3810 6D59 C1C8
uid Ewen McNeill (Personal) <ewen@mcneill.gen.nz>
sub 4096R/BEB5BF6B 2010-01-15 [expires: 2016-01-14]