Creating a new GPG key

At the time of writing GnuPG unfortunately defaults to a 1024 bit DSA key as the primary with SHA1 as the preferred hash. Due to weaknesses found with the SHA1 hashing algorithm Debian prefers to use keys that are at least 2048 bits and preferring SHA2. The following instructions provide a guide to how to generate such a key and are based, with permission, on a post to Ana's blog.

pub   4096R/6AA15948 2009-05-10
      Key fingerprint = 7A33 ECAA 188B 96F2 7C91  7288 B346 4F89 6AA1 5948
uid                  Ana Beatriz Guerrero López <ana@ekaia.org>
uid                  Ana Beatriz Guerrero López <ana@debian.org>
sub   4096R/2497B8B2 2009-05-10

As a side note, we have been often asked why do we mention 2048 bits. We do prefer 4096 bit keys, and if you don't have a reason to require a 2048 bit key, we'd be much happier having the 4096 bit ones. We know of many smartcards that are able to hold only 2048 bit keys, however, and their use is accepted.

Please note that the requirement to migrate away from 1024D to 4096R is not only because of the key length, but because of the stronger algorithm as well.

Update ~/.gnupg/gpg.conf

We need to update GnuPG to use SHA2 in preference to SHA1. So add at the end of the file:

personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

If you use caff for signing keys you will also need to add these lines to ~/.caff/gnupghome/gpg.conf as well, otherwise your signatures will be SHA1.

Create key

[update]: If you are using gnupg 1.4.0 or higher, the options have changed. You can (and probably should) select directly the option "(1) RSA and RSA (default)". This also creates a subkey for encryption at the same time you create your new key. If you do this, you can skip the “Add subkey for encryption” step. Thanks to Bernhard Reiter for pointing this out!

ana@pryan:~$ gpg --gen-key
 
 …

Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)
Your selection? 5
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

 …

Real name: Ana Beatriz Guerrero López
Email address: ana@ekaia.org
Comment:
You are using the `utf-8′ character set.
You selected this USER-ID:
    “Ana Beatriz Guerrero López <ana@ekaia.org>”

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

 … 

gpg: key 6AA15948 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb

 …

gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
pub   4096R/6AA15948 2009-05-10
      Key fingerprint = 7A33 ECAA 188B 96F2 7C91  7288 B346 4F89 6AA1 5948
uid                  Ana Beatriz Guerrero López <ana@ekaia.org>

Note that this key cannot be used for encryption.  You may want to use
the command “–edit-key” to generate a subkey for this purpose.

Add other UID

If you need to add more than one email address to your key:

ana@pryan:~$ gpg --edit-key 0x6AA15948
 …
command> adduid
Real name: Ana Beatriz Guerrero López
Email address: ana@debian.org
Comment:
You are using the `utf-8' character set.
You selected this USER-ID:
    "Ana Beatriz Guerrero López <ana@debian.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a passphrase to unlock the secret key for
user: "Ana Beatriz Guerrero López <ana@ekaia.org>"
4096-bit RSA key, ID 6AA15948, created 2009-05-10

pub  4096R/6AA15948  created: 2009-05-10  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
[ultimate] (1)  Ana Beatriz Guerrero López <ana@ekaia.org>
[ unknown] (2). Ana Beatriz Guerrero López <ana@debian.org>

Command> save

Set primary UID

(Only needed if you've added more than one UID as above)

ana@pryan:~$ gpg --edit-key 0x6AA15948
 …
Command> uid 1

pub  4096R/6AA15948  created: 2009-05-10  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
[ultimate] (1)* Ana Beatriz Guerrero López <ana@ekaia.org>
[ultimate] (2)  Ana Beatriz Guerrero López <ana@debian.org>

Command> primary

You need a passphrase to unlock the secret key for
user: “Ana Beatriz Guerrero López <ana@ekaia.org>”
4096-bit RSA key, ID 6AA15948, created 2009-05-10

pub  4096R/6AA15948  created: 2009-05-10  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
[ultimate] (1)* Ana Beatriz Guerrero López <ana@ekaia.org>
[ultimate] (2)  Ana Beatriz Guerrero López <ana@debian.org>

Command> save

Add subkey for encryption

ana@pryan:~$ gpg --edit-key 0x6AA15948
  ...
Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Ana Beatriz Guerrero López <ana@ekaia.org>"
4096-bit RSA key, ID 6AA15948, created 2009-05-10

Please select what kind of key you want:
   (2) DSA (sign only)
   (4) Elgamal (encrypt only)
   (5) RSA (sign only)
   (6) RSA (encrypt only)
Your selection? 6
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y

 …

pub  4096R/6AA15948  created: 2009-05-10  expires: never       usage: SC
                     trust: ultimate      validity: ultimate
sub  4096R/2497B8B2  created: 2009-05-10  expires: never       usage: E
[ultimate] (1). Ana Beatriz Guerrero López <ana@ekaia.org>
[ultimate] (2)  Ana Beatriz Guerrero López <ana@debian.org>

Command> save

Send new key to key server

gpg --keyserver subkeys.pgp.net --send-key 6AA15948