Posts | Tags | Archive

Creating a new GPG key

I wanted to renew my GPG key for some time and after reading the latest news, I finally have generated a new key today.

pub   4096R/6AA15948 2009-05-10
      Key fingerprint = 7A33 ECAA 188B 96F2 7C91  7288 B346 4F89 6AA1 5948
uid                  Ana Beatriz Guerrero López <ana@ekaia.org>
uid                  Ana Beatriz Guerrero López <ana@debian.org>
sub   4096R/2497B8B2 2009-05-10


Since I tend to forget this stuff, I am blogging all the steps I have followed.
Long and verbose post follows...

Update .gnupg/gpg.conf

Add at the end of the file:

personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

Create key

Update September'2009: If you are using gnupg 1.4.0 or higher, the options have changed. You can select directly the option (1) RSA and RSA (default), then you also create a subkey for encryption at the same time you create your new key and you can skip the “Add subkey for encryption” step.

ana@pryan:~$ gpg --gen-key
 ...

Please select what kind of key you want:
   (1) DSA and Elgamal (default)        
   (2) DSA (sign only)                  
   (5) RSA (sign only)                  
Your selection? 5                       
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096           
Requested keysize is 4096 bits                  
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

 ...

Real name: Ana Beatriz Guerrero López
Email address: ana@ekaia.org
Comment:
You are using the `utf-8' character set.
You selected this USER-ID:
    "Ana Beatriz Guerrero López <ana@ekaia.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

 ...

gpg: key 6AA15948 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb

 ...

gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
pub   4096R/6AA15948 2009-05-10
      Key fingerprint = 7A33 ECAA 188B 96F2 7C91  7288 B346 4F89 6AA1 5948
uid                  Ana Beatriz Guerrero López <ana@ekaia.org>

Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.

Add other UID

ana@pryan:~$ gpg --edit-key 0x6AA15948            
 ...                             
command> adduid
Real name: Ana Beatriz Guerrero López
Email address: ana@debian.org
Comment:
You are using the `utf-8' character set.
You selected this USER-ID:
    "Ana Beatriz Guerrero López <ana@debian.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a passphrase to unlock the secret key for
user: "Ana Beatriz Guerrero López <ana@ekaia.org>"
4096-bit RSA key, ID 6AA15948, created 2009-05-10


pub  4096R/6AA15948  created: 2009-05-10  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
[ultimate] (1)  Ana Beatriz Guerrero López <ana@ekaia.org>
[ unknown] (2). Ana Beatriz Guerrero López <ana@debian.org>

Command> save

Change preferences

ana@pryan:~$ gpg --edit-key 0x6AA15948
 ...
Command> showpref
[ultimate] (1). Ana Beatriz Guerrero López <ana@debian.org>
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA1, SHA256, RIPEMD160
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
[ultimate] (2)  Ana Beatriz Guerrero López <ana@ekaia.org>
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA1, SHA256, RIPEMD160
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify

Command>  setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
Set preference list to:
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
Really update the preferences? (y/N) y
gpg: WARNING: no user ID has been marked as primary.  This command may
              cause a different user ID to become the assumed primary.

You need a passphrase to unlock the secret key for
user: "Ana Beatriz Guerrero López <ana@debian.org>"
4096-bit RSA key, ID 6AA15948, created 2009-05-10


pub  4096R/6AA15948  created: 2009-05-10  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
[ultimate] (1)  Ana Beatriz Guerrero López <ana@debian.org>
[ultimate] (2). Ana Beatriz Guerrero López <ana@ekaia.org>

Command> showpref
[ultimate] (1)  Ana Beatriz Guerrero López <ana@debian.org>
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify
[ultimate] (2). Ana Beatriz Guerrero López <ana@ekaia.org>
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify

Command> save

Set primary UID

ana@pryan:~$ gpg --edit-key 0x6AA15948
  ...
Command> uid 1

pub  4096R/6AA15948  created: 2009-05-10  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
[ultimate] (1)* Ana Beatriz Guerrero López <ana@ekaia.org>
[ultimate] (2)  Ana Beatriz Guerrero López <ana@debian.org>

Command> primary

You need a passphrase to unlock the secret key for
user: "Ana Beatriz Guerrero López <ana@ekaia.org>"
4096-bit RSA key, ID 6AA15948, created 2009-05-10


pub  4096R/6AA15948  created: 2009-05-10  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
[ultimate] (1)* Ana Beatriz Guerrero López <ana@ekaia.org>
[ultimate] (2)  Ana Beatriz Guerrero López <ana@debian.org>

Command> save

Add subkey for encryption

ana@pryan:~$ gpg --edit-key 0x6AA15948
  ...
Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Ana Beatriz Guerrero López <ana@ekaia.org>"
4096-bit RSA key, ID 6AA15948, created 2009-05-10

Please select what kind of key you want:
   (2) DSA (sign only)
   (4) Elgamal (encrypt only)
   (5) RSA (sign only)
   (6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y

 ...

pub  4096R/6AA15948  created: 2009-05-10  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
sub  4096R/2497B8B2  created: 2009-05-10  expires: never       usage: E
[ultimate] (1). Ana Beatriz Guerrero López <ana@ekaia.org>
[ultimate] (2)  Ana Beatriz Guerrero López <ana@debian.org>

Command> save

Sign my new key with my old key

ana@pryan:~$ gpg --default-key E8C43461 --sign-key 6AA15948

pub  4096R/6AA15948  created: 2009-05-10  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
sub  4096R/2497B8B2  created: 2009-05-10  expires: never       usage: E
[ultimate] (1). Ana Beatriz Guerrero López <ana@ekaia.org>
[ultimate] (2)  Ana Beatriz Guerrero López <ana@debian.org>

Really sign all user IDs? (y/N) y

pub  4096R/6AA15948  created: 2009-05-10  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
 Primary key fingerprint: 7A33 ECAA 188B 96F2 7C91  7288 B346 4F89 6AA1 5948

     Ana Beatriz Guerrero López <ana@ekaia.org>
     Ana Beatriz Guerrero López <ana@debian.org>

Are you sure that you want to sign this key with your
key "Ana Beatriz Guerrero López <ana@ekaia.org>" (E8C43461)

Really sign? (y/N) y

You need a passphrase to unlock the secret key for
user: "Ana Beatriz Guerrero López <ana@ekaia.org>"
1024-bit DSA key, ID E8C43461, created 2004-12-06
 ...

Send new key to key server

gpg --keyserver pgp.mit.edu --send-key 6AA15948

Comments

  • transacid said, on 2009-05-10 21:54:07+02:00:

    Hmm that may sound like a stupid question to you but why do you generate 2 keys, one for signing and one for encryption? Maybe i miss something their. Please enlighten me.

  • Jonathan Thomas said, on 2009-05-10 22:35:52+02:00:

    The RSA key can't do both, so two keys are required.

    Anyway, thanks for this guide! It's the best one I've found so far. :)

  • Gregory Colpart said, on 2009-05-11 00:18:42+02:00:

    It could be useful to add "Generate revocation certificate" section with 'gpg --gen-revoke', because it's important to generate a revocation certificate immediatly after key creation. ;-)

  • Daniel Kahn Gillmor said, on 2009-05-11 03:00:02+02:00:

    Ana, thanks for documenting the steps you took, this is really great.

    For folks who might be following these steps, i just updated my weblog post about SHA-1 and OpenPGP (thanks to a suggestion from David Crick) to suggest adding a third line to ~/.gnupg/gpg.conf before key generation, which should make it so that you the digest preferences are set up properly in the first place (this would make it so that you don't need to do the "Change Preferences" step).

    the additional line would be:

    default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

  • ana said, on 2009-05-11 15:54:37+02:00:

    @Daniel Kahn Gillmor:

    Thanks for the update!

    Also, there is a post on how to do it under KDE using kgpg at:

    http://der-dakon.net/blog/KDE/create-gpg-key-with-kde.html

  • A new GPG key | Delodder.be said, on 2009-05-13 13:50:05+02:00:

    [...] followed this excellent guide Leave a Reply Visited 1 times | Tags: gpg Apt-key gpg [...]

  • Jakob Petsovits said, on 2009-05-15 10:53:32+02:00:

    This and Dakon's KDE modification is a great resource. Maybe I'll try it out for myself sometime soon.

    Still, I think you people are all crazy. How is any non-technical person supposed to not only figure out how to do the stuff in here, but even figure out what needs to be done in the first place (= titles in your post) and why all of this needs to be done?

    It's pretty much impossible to understand all of this without having at least attended a university course in cryptography. Heck, I did attend one, and I still wouldn't figure out this thing by myself.

    Imho, GPG is a great thing in theory, but if there are no significant improvements in getting people to understand this thing, it'll always stay a niche technology. Which I think is really unfortunate, because secure communication should not require this level of expertise, not anywhere near it.

  • Mike Perdide » GPG : I can haz identity said, on 2009-05-20 14:49:07+02:00:

    [...] Si vous voulez vous lancer et créer votre propre paire de clef publique/privée, je vous conseille ce petit howto très rapide, qui permettra de plus de générer des clefs RSA, plus sûres que les DSA utilisées par le plus grand nombre : howto GPG. [...]

  • Henrique said, on 2009-05-25 12:49:55+02:00:

    @Jakob Petsovits:

    Actually, no, we are not crazy. We just need gpg enough that we actually learn how it works and don't wait for upstream to change the defaults :-)

    A regular user without crypto experience can just use the gpg defaults, they are quite good enough and are not going to be the limiting factor for this user's security. His inexperience when dealing with information security, OTOH, likely will. And there is nothing software can do to fix THAT.

  • Stemp said, on 2009-05-29 20:54:16+02:00:

    I'm ashamed to say I forgot to tell you how much your post was helpfull. Everybody was talking about new gpg keys but no one, except you, did a clear post about doing it for dumbs like me. Thanks a lot.

  • bjoernb said, on 2009-06-20 15:28:00+02:00:

    Hej Ana,

    just a short notice. You should link to your new key on your website. It still points to your old key.

    Best wishes, bjoernb.

  • Ben said, on 2009-06-27 05:35:18+02:00:

    I only needed part of what you have here but it was very useful. Thanks for posting in such a detailed manner.

  • bli said, on 2009-06-29 21:32:11+02:00:

    ¡Gracias!

  • ghostbar » FYI: new gpg key 7C4DF50D said, on 2009-07-14 06:32:58+02:00:

    [...] I just followed this great post from Ana’s [...]

  • Michael Shuler said, on 2009-07-15 23:26:56+02:00:

    Thank you for this excellent detailed example, Ana.

  • Dario Minnucci said, on 2009-07-16 01:16:14+02:00:

    Hi Ana, Thanks for this guidelines. See you soon.

  • Christine Spang (spang) 's status on Friday, 17-Jul-09 10:18:15 UTC - Identi.ca said, on 2009-07-17 10:18:22+02:00:

    [...] http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/ [...]

  • Bill Thompson said, on 2009-07-28 17:30:55+02:00:

    Why a 4096b key? I have had interoperability problems with keys that size in the past so usually do not use more than 2048b. Is there an RSA 2048b compromise you are aware of or are you just being through?

  • Francisco said, on 2009-07-29 17:16:13+02:00:

    hi Ana, very good explanation. I'll link it in my blog.

  • mirabilos said, on 2009-07-30 14:16:29+02:00:

    Of course, RSA can do both, but the FSF and GnuPG won’t let you. Use --expert too, choose 7, then select all four of S+C+E+A key purposes.

    In batch mode, you can generate even longer keys, like pgp-2.6.3ia could.

  • Kartar.Net » Creating a new GPG key and revoking the old one said, on 2009-08-21 01:50:21+02:00:

    [...] So this time when I needed my new key I thought I’d see if someone else had instructions.  And lo and behold Google found a really good HOWTO at Ana’s blog » Blog Archive » Creating a new GPG key. [...]

  • Charles Plessy said, on 2009-09-08 15:36:22+02:00:

    Hello Ana,

    there were changes in GPG… What do you recommend: RSA sign only, or the new RSA and RSA default?

    gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

    Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only)

    Have a nice day !

  • ana said, on 2009-09-08 16:07:24+02:00:

    @Charles Plessy:

    This is the new default since GNUPG 1.4.0. If you choose (1) you create also a subkey for encryption at the same time you create your new key and then you can skip the "Add subkey for encryption" step of my HOWTO.

  • Robert Escriva » Blog Archive » Joining the GPG Web of Trust (WoT) said, on 2009-09-25 00:28:24+02:00:

    [...] When I went through this process in July to regenerate my key I followed the instructions from Ana’s Blog: Creating a a new GPG Key. I’ve adapted them here for users new to [...]

  • mirabilos said, on 2010-01-14 12:58:11+01:00:

    > The RSA key can’t do both, so two keys are required.

    This is actually wrong. GnuPG cripples RSA so that it cannot do both by default, so that people use DSA, for former political (patent in the USA) reasons.

    Use --expert to see this: (7) RSA (set your own capabilities)

    Then make sure all four of S, C, E and A are set.

  • Matthew said, on 2010-01-31 22:29:07+01:00:

    Just to say a short thanks for a very helpful howto on generating a GPG key using only RSA keys. Thanks very much.

  • My New GPG Key « Short-Circuit Synapse said, on 2010-02-02 15:01:30+01:00:

    [...] However, it is possible, it just requires a couple of extra steps, which I learnt from a handy post here. So thank you very much for your help [...]

  • David said, on 2010-02-22 08:08:40+01:00:

    Thank you for this article. I successfully generated my new keys.

  • T-Bone Steak said, on 2010-05-08 18:55:36+02:00:

    @Bill: A 2048b key should be the norm today, and the reason for creating a 4096b key is to have it stay a bit longer. Imho, 2048b may already be in reach of the spooks, and you don't want to run around getting your new key signed every few months, do you?

  • Changing/Renewing GPG key procedure? | blog.windfluechter.net said, on 2011-01-13 06:47:27+01:00:

    [...] Software I know I'm a little late with this, but I want to renew GPG key and change it from DSA to RSA. The length of my ElGamal key is 1024, which is not that good for todays standard. When searching on Planet Debian, I found some few HowTos, especially that by Ana Guerrero. [...]

  • Bankacilik said, on 2011-01-22 13:28:42+01:00:

    Thanks for posting in such a detailed manner.

  • Com usar una clau GPG per a SSH | Ivan. Loves. Gazpacho. said, on 2011-04-03 20:00:06+02:00:

    [...] d’un parell de claus GPG. Si no és així, aquest és el moment de generar‐les! Recomane seguir el xicotet manual d’Ana, que també descriu com fer‐ho evitant el vulnerable algorisme [...]

  • Debconf11 – המשך הכנס « תוכנה חופשית בעברית said, on 2011-07-30 22:49:21+02:00:

    [...] כמה שנים, הייתי צריך להזכר בפרטים של יצירת מפתח חדש. הפוסט בבלוג של אנה היה שימושי במיוחד (שימו לב שיש שם פסקה של [...]

  • tomasio said, on 2011-08-21 21:14:52+02:00:

    Great blog entry, but could you explain why I have to "Sign my new key with my old key"? I revoked my old key before creating a new one, so isn't it contraproductive to sign my new key with the old (revoked) key?

    buenas dias,

    tomasio

  • Privacy | Josh Lawrence said, on 2011-12-23 02:06:27+01:00:

    [...] How to create a strong key [...]

  • Compiling GnuPG 1.x on Linux for Windows – PCR's notepad said, on 2012-07-10 12:05:33+02:00:

    [...] the FBI took down the files when taking down MegaUpload. Update (2012-07-10): here’s a nice blog post that I just found with additional commands such as how to add an encryption [...]

  • Jonathan said, on 2013-05-21 08:50:55+02:00:

    First, thanks Ana for a great blog post which is still a useful reference 4 years later!

    To respond to a point mirabilos raised in an earlier comment: by default gpg won't let you create an RSA key for both signing and encrypting. You can override this using expert mode as pointed out. However, it appears there is a good reason for the restriction, at least in some locales. I attended a talk by Dr Matthew Sorell yesterday highlighting some interesting examples of PGP in legal cases. It turns out there is some UK legislation whereby folks are compelled to give a copy of private keys to the UK government if they are used for signatures. Apparently it was this legislation which encouraged Zimmerman to make PGP use separate signing and encryption keys originally. I'm afraid I don't (yet) have a reference to the precise legislation, but I thought this would be useful information here non-the-less. Thanks

© Ana Guerrero Lopez. Built using Pelican. Theme is subtle by Carey Metcalfe. Based on svbhack by Giulio Fidente.