Tuesday, 10 December 2013

PGP keys rotated

I just (belatedly) rotated my PGP keys. The old ID was 86FF9C48 and the new 6D920D30 with a fingerprint of 59C2 118E D206 D927 E667 EBE3 D3E5 F56B 6D92 0D30. The new key should be available from the keyserver network and is signed by my old key. As a very infrequent user of gnupg for anything but generating signatures, I found apache.org's key transition guidelines to be very useful in doing this.

One thing that I noticed along the way that doesn't seem to be in the documentation. Where gnupg asks you for an expiry duration, it will actually accept an exact timestamp too. So you can answer something like 20201231T235959 and it will do the right thing.

My whole key blob is now:


  1. Can you explain why a 3200 bit key? I've seen 1024, 2048, 3072, and 4096, but not 3200.

  2. AFAIK it's possible. I chose a 4096 bit key because I use it only infrequently and it had to last 10 years...

  3. I think he means

    pub 3200R/6D920D30 2013-12-10 [expires: 2021-01-01]
    uid Damien Miller
    sub 3200R/672A1105 2013-12-10 [expires: 2021-01-01]
    ^ why that 3200

    1. Probably because then "generic" attacks that target ALL 2048 or ALL 4096 keys won't work. For example a quantum computer built for 4096 bits won't work on 3200 bit keys (I think, not 100% sure there).

  4. Shouldn't this be updated?

  5. No, that's the old key and can still be used to validate the old releases. The release notes mention which key is used for the new ones.