Creating a new GPG key

GnuPG in debian unfortunately defaults to a 2048-bit RSA key as the primary with SHA1 as the preferred hash. Due to weaknesses found with the SHA1 hashing algorithm Debian prefers to use keys that prefer SHA2. The following instructions provide a guide to how to generate such a key and are based, with permission, on a post to Ana's blog.

pub   4096R/6AA15948 2009-05-10
      Key fingerprint = 7A33 ECAA 188B 96F2 7C91  7288 B346 4F89 6AA1 5948
uid                  Ana Beatriz Guerrero López <ana@ekaia.org>
uid                  Ana Beatriz Guerrero López <ana@debian.org>
sub   4096R/2497B8B2 2009-05-10

As a side note, we have been often asked why do we mention 2048 bits. We do prefer 4096 bit keys, and if you don't have a reason to require a 2048 bit key, we'd be much happier having the 4096 bit ones. We know of many smartcards that are able to hold only 2048 bit keys, however, and their use is accepted.

Please note that the requirement to migrate away from DSA keys to RSA keys is not only because of the key length, but because of the stronger algorithm as well. (There are classes of failure in traditional DSA that are not present in RSA)

Update ~/.gnupg/gpg.conf

We need to update GnuPG to use SHA2 in preference to SHA1. So add at the end of the file:

personal-digest-preferences SHA256
cert-digest-algo SHA256
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

If you use caff for signing keys you will also need to add these lines to ~/.caff/gnupghome/gpg.conf as well, otherwise your signatures will be SHA1.

Create key

0 user@jessie:~$ mkdir -p ~/.gnupg/
0 user@jessie:~$ cat >> ~/.gnupg/gpg.conf <<EOF
> personal-digest-preferences SHA256
> cert-digest-algo SHA256
> default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
> EOF
0 user@jessie:~$ gpg --gen-key
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: keyring `/home/user/.gnupg/secring.gpg' created
gpg: keyring `/home/user/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 3y
Key expires at Tue 11 May 2019 12:53:08 AM EDT
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: Test User
Email address: test@example.org
Comment: 
You selected this USER-ID:
    "Test User <test@example.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

passphrase not correctly repeated; try again.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..........+++++
.................................+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
........+++++
.......+++++
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key 23955501 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2021-05-11
pub   4096R/23955501 2016-05-12 [expires: 2021-05-11]
      Key fingerprint = 519D 4592 3D31 56E6 B7A8  269E F9E2 35C3 2395 5501
uid                  Test User <test@example.org>
sub   4096R/653CA81D 2016-05-12 [expires: 2021-05-11]

0 user@jessie:~$ 

Add other UID

If you need to add more than one email address to your key:

0 user@jessie:~$ gpg --edit-key '519D 4592 3D31 56E6 B7A8  269E F9E2 35C3 2395 5501'
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/23955501  created: 2016-05-12  expires: 2021-05-11  usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/653CA81D  created: 2016-05-12  expires: 2021-05-11  usage: E   
[ultimate] (1). Test User <test@example.org>

gpg> adduid
Real name: Test User
Email address: test@business.example
Comment: 
You selected this USER-ID:
    "Test User <test@business.example>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

You need a passphrase to unlock the secret key for
user: "Test User <test@example.org>"
4096-bit RSA key, ID 23955501, created 2016-05-12

                  
pub  4096R/23955501  created: 2016-05-12  expires: 2021-05-11  usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/653CA81D  created: 2016-05-12  expires: 2021-05-11  usage: E   
[ultimate] (1)  Test User <test@example.org>
[ unknown] (2). Test User <test@business.example>

gpg> save
0 user@jessie:~$ 

Set primary UID

(Only needed if you've added more than one UID as above)

0 user@jessie:~$ gpg --edit-key '519D 4592 3D31 56E6 B7A8  269E F9E2 35C3 2395 5501'
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2021-05-11
pub  4096R/23955501  created: 2016-05-12  expires: 2021-05-11  usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/653CA81D  created: 2016-05-12  expires: 2021-05-11  usage: E   
[ultimate] (1). Test User <test@business.example>
[ultimate] (2)  Test User <test@example.org>

gpg> uid 2

pub  4096R/23955501  created: 2016-05-12  expires: 2021-05-11  usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/653CA81D  created: 2016-05-12  expires: 2021-05-11  usage: E   
[ultimate] (1). Test User <test@business.example>
[ultimate] (2)* Test User <test@example.org>

gpg> primary

You need a passphrase to unlock the secret key for
user: "Test User <test@business.example>"
4096-bit RSA key, ID 23955501, created 2016-05-12

                  
pub  4096R/23955501  created: 2016-05-12  expires: 2021-05-11  usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/653CA81D  created: 2016-05-12  expires: 2021-05-11  usage: E   
[ultimate] (1)  Test User <test@business.example>
[ultimate] (2)* Test User <test@example.org>

gpg> save
0 user@jessie:~$ 

Send new key to key server

gpg --keyserver pool.sks-keyservers.net --send-key '519D 4592 3D31 56E6 B7A8  269E F9E2 35C3 2395 5501'