Over the new few months I will be slowly transitioning to a new OpenPGP (GPG) key. The reasons for this are as follows:
- In light of the recent information regarding the NSA, GCHQ, ASIO and other spying on citizens of the world, I believe a larger key size will increase security against attacks (even if the increase is small).
- I read about a patch to GnuPG to allow creation of larger key sizes and wanted to try it out.
- I wanted to have a clean slate with completely separate subkeys and good key hygiene (in regards to how the private key and revocation certificates were stored).
I have created a new 8K-length certification master key (0xB341C361CE04C603) with the following subkeys:
- 4K Signing key (for signing documents and emails)
- 4K Encryption key (for encrypting files)
- 4K Authentication key (for logging in to systems, though in practise this isn’t really useful yet)
The reason for the 8K (for the uninitiated, this is a huge key that is overkill for current technology) separated certification key is so that I can keep that key safely on my home systems protected from the wild, whilst still being able to carry my signing, encrypting and authentication keys around on my laptop without too much trouble. Since the certification key is used for signing other keys and being signed by other keys (i.e., building the web of trust) it is a good thing if this key is both well protected and doesn’t change much.
The authentication key is interesting – in theory the underlying key data is such that you can use it for SSH logins, but it is such a pain in the arse to get the key data out and into a format that the SSH client can use that nobody bothers.
My old key (0xF3EABD1AAC83D520) no longer has a valid encryption key and I will be revoking the master key within the next few weeks.
You may also be interested to read my OpenPGP policies.