Again some notes, mostly for myself… I wanted to update my both (private/office) 2048-bit GPG keys to a (single) 4096-bit key. Here are some handy commands.
Start with generating a new key:
gpg --gen-key
Select a RSA/RSA 4096 bit key…
Edit your new key, add all mail addresses you need. Also set your preferred hash and crypto algorithms.
gpg --edit-key NEWKEYID
> adduid
> ...
> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
> quit
Make a backup of your new key…
gpg --export --armor NEWKEYID > holger.gpg.public
gpg --export-secret-keys --armor NEWKEYID > holger.gpg.private
… and put the secret key to a secure location. If you want, create a revocation certificate as well and store this at the same location.
Now sign the new key with your (both) old keys:
gpg -u OLDKEYID1 --sign-key NEWKEYID
gpg -u OLDKEYID2 --sign-key NEWKEYID
I decided to revoke both old keys:
gpg --edit-key OLDKEYID1
>revkey
>quit
gpg --edit-key OLDKEYID2
>revkey
>quit
Now push the changes to your PGP key server of choice.
gpg --send-keys NEWKEYID OLDKEYID1 OLDKEYID2