February 15, 2015

Update PGP Key

Again some notes, mostly for myself… I wanted to update my both (private/office) 2048-bit GPG keys to a (single) 4096-bit key. Here are some handy commands.

Start with generating a new key:

gpg --gen-key

Select a RSA/RSA 4096 bit key…

Edit your new key, add all mail addresses you need. Also set your preferred hash and crypto algorithms.

gpg --edit-key NEWKEYID
> adduid
> ...
> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
> quit

Make a backup of your new key…

gpg --export --armor NEWKEYID > holger.gpg.public
gpg --export-secret-keys --armor NEWKEYID > holger.gpg.private

… and put the secret key to a secure location. If you want, create a revocation certificate as well and store this at the same location.

Now sign the new key with your (both) old keys:

gpg -u OLDKEYID1 --sign-key NEWKEYID
gpg -u OLDKEYID2 --sign-key NEWKEYID

I decided to revoke both old keys:

gpg --edit-key OLDKEYID1

gpg --edit-key OLDKEYID2

Now push the changes to your PGP key server of choice.


© ho1ger 2015 - 2022