Transitioning to a new GPG key

I’ve been meaning to review my encryption settings and keys for some time. I really should have done this a long time ago, but it’s better to do it now (and late) rather than never. I created my master key in 1999, and in computing terms that’s forever ago. I also know that I’ll need to do this again several years from now, and since I’m sure I’ll forget what I did, I’m documenting the process here as I usually do.

The process below largely follows the corresponding post in Ana’s blog (which is now more than 5 years old), the Debian Administration weblog entry, and the current OpenPGP best practices. I’m using GnuPG v1.4.16 on an Ubuntu 14.04 LTS system – that’s the one that comes with the packages from the standard repositories.

  1. First step is to update the GnuPG settings by adding the following lines at the end of .gnupg/gpg.conf:
    # set defaults to avoid weak digests
    personal-digest-preferences SHA256
    cert-digest-algo SHA256
    default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
  2. Next, create a new master key:
    gpg --gen-key

    On recent GnuPG systems, just choose option 1 to create an RSA master key for signing and an RSA subkey for encryption. I went with a 4096-bit length, and set it to expire in 2 years. While I don’t intend to create new keys so often, this is a good fail-safe in case I ever lose my private key. In normal circumstances, I’ll just push the expiry date by another two years, every two years. Note: GPG will ask separately for your real name, email, and a comment; these are used to construct your user ID as “Real Name (Comment) <email>”. When this is done, GPG should list the newly created keys: the first is the master key for signing, and the second is the subkey for encryption. The key ID is the 8-hex-digit sequence (same as the tail of the key fingerprint). You’ll need this to identify your new key.

  3. Add more user IDs as necessary:
    gpg --edit-key XXXXXXXX

    where XXXXXXXX should be replaced by the key ID for your newly generated key. This command will select the new master key and put you in GPG command mode; this is where you issue the command to add a new user ID:

    gpg> adduid

    and follow the prompts to enter the real name, email, and comment for the new ID. When you’re done, set your preferred user ID as your primary one:

    gpg> uid X

    where X should be replaced by the index of your preferred ID. Finally, save and exit the GPG command prompt:

    gpg> save
  4. Sign the new key with the old one:
    gpg --default-key OOOOOOOO --sign-key NNNNNNNN

    where OOOOOOOO is the key ID of your old key, and NNNNNNNN is the key ID of the new key. This allow people to validate your transition.

  5. Publish the new key to a key server:
    gpg --send-key XXXXXXXX

    where XXXXXXXX is the new key ID. This sends the public key to the default keyserver from your gpg.conf configuration (mine defaulted to

  6. Generate a revocation certificate for the new key and keep it in a safe place:
    gpg --output revoke-XXXXXXXX.asc --gen-revoke XXXXXXXX

    where XXXXXXXX is the new key ID. You can use this to revoke your new key in case you ever lose access to it.

  7. Make sure your old key will expire in some reasonable time frame (say, 30 days). Alternatively, remind yourself to revoke it in 30 days’ time.
  8. Let people know, ideally by writing a key transition statement, signed with both your new and old keys. Mine will follow as a separate blog post.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s