{"id":1374,"date":"2023-11-12T16:04:12","date_gmt":"2023-11-12T22:04:12","guid":{"rendered":"https:\/\/www.nathanhunstad.com\/blog\/?p=1374"},"modified":"2023-11-12T16:04:13","modified_gmt":"2023-11-12T22:04:13","slug":"yet-another-new-gpg-key","status":"publish","type":"post","link":"https:\/\/www.nathanhunstad.com\/blog\/2023\/11\/yet-another-new-gpg-key\/","title":{"rendered":"Yet another new GPG key"},"content":{"rendered":"\n

While rummaging around the computer the other day, I realized that my GPG key had expired quite some time ago. I decided that even though I haven’t used it in years, it was time to create another keypair and publish it to the world. You can find it here<\/a>, and you can learn a bit more about how it works at the same link.<\/p>\n\n\n\n

Why bother to create another key if I almost never use it? Good question. I have used GPG for legitimate purposes several times, mainly for communicating with security researchers about vulnerability disclosures, and for that purpose it’s a very good option: it’s free, quick, and most security folks are knowledgeable enough about GPG that they aren’t intimidated by the steep learning curve.<\/p>\n\n\n\n

But even more than that, GPG and public-key cryptography are just cool<\/em>. In fact, cryptography is the main reason I’m in the security field. In college, I read all about cryptography, used PGP<\/a> when that was a thing, long before the existence of OpenPGP and alternatives like GnuPG. I read The Codebreakers<\/a> and Applied Cryptography<\/a>, and played around with cryptography before I realized that yes, you can actually build a career out of this. Eventually I did decide that beyond being cool, security would be a fun thing to do as a job, and here I am.<\/p>\n\n\n\n

There are also some technical reasons to create a new keypair. The last one I generated in 2011 used a 1024-bit DSA key. That’s widely considered to be too small to be secure these days: NIST disallowed 1024-bit keys after 2013 due to the increasing likelihood of the ability to compromise such a key, and removed DSA from the Digital Signature Standard<\/a> altogether this year. There’s no indication that 1024-bit DSA keys have been compromised in real life and DSA can still be used for verifying old stuff, but it shouldn’t be used going forward.<\/p>\n\n\n\n

Instead, the move is towards elliptic-curve cryptography<\/a>, as the key sizes can be much smaller than the equivalent DSA\/RSA keys for the same security. These have become fairly common in crypto libraries, and is generally recommended over things like RSA these days. Following the suggestions in this guide<\/a>, I chose to generate an Ed25519 key.<\/p>\n\n\n\n

I also followed some of the best practices here<\/a> and did the following:<\/p>\n\n\n\n

    \n
  1. I use the main key just for certification, with a 10-year expiration.<\/li>\n\n\n\n
  2. I generated two subkeys, one for signing and one for encryption, with 2-year expirations.<\/li>\n\n\n\n
  3. I created a revocation certificate just in case.<\/li>\n<\/ol>\n\n\n\n

    The expiration dates are probably a bit longer than suggested, but a 10 year primary key is probably good enough for my considering I may never use it, and unless there is a sudden, unexpected problem with Ed25519, it should be safe for that long, at which point I can reassess. Keeping my primary key entirely offline is something I probably won’t do: I’ve done offline roots for PKI before, but that was for something more important than my personal GPG key!<\/p>\n\n\n\n

    So if anybody ever needs to communicate with me in a secure way, you now have my updated key. Drop me a message if you feel like it!<\/p>\n","protected":false},"excerpt":{"rendered":"

    While rummaging around the computer the other day, I realized that my GPG key had expired quite some time ago. I decided that even though I haven’t used it in years, it was time to create another keypair and publish it to the world. You can find it here, and you can learn a bit… Continue reading Yet another new GPG key<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[127],"tags":[155,300],"class_list":["post-1374","post","type-post","status-publish","format-standard","hentry","category-security","tag-encryption","tag-gpg","entry"],"aioseo_notices":[],"aioseo_head":"\n\t\t\n\t\n\t\n\t\n\t\n\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t\n\t\t