While rummaging around the computer the other day, I realized that my GPG key had expired quite some time ago. I decided that even though I haven’t used it in years, it was time to create another keypair and publish it to the world. You can find it here, and you can learn a bit more about how it works at the same link.
Why bother to create another key if I almost never use it? Good question. I have used GPG for legitimate purposes several times, mainly for communicating with security researchers about vulnerability disclosures, and for that purpose it’s a very good option: it’s free, quick, and most security folks are knowledgeable enough about GPG that they aren’t intimidated by the steep learning curve.
But even more than that, GPG and public-key cryptography are just cool. In fact, cryptography is the main reason I’m in the security field. In college, I read all about cryptography, used PGP when that was a thing, long before the existence of OpenPGP and alternatives like GnuPG. I read The Codebreakers and Applied Cryptography, and played around with cryptography before I realized that yes, you can actually build a career out of this. Eventually I did decide that beyond being cool, security would be a fun thing to do as a job, and here I am.
There are also some technical reasons to create a new keypair. The last one I generated in 2011 used a 1024-bit DSA key. That’s widely considered to be too small to be secure these days: NIST disallowed 1024-bit keys after 2013 due to the increasing likelihood of the ability to compromise such a key, and removed DSA from the Digital Signature Standard altogether this year. There’s no indication that 1024-bit DSA keys have been compromised in real life and DSA can still be used for verifying old stuff, but it shouldn’t be used going forward.
Instead, the move is towards elliptic-curve cryptography, as the key sizes can be much smaller than the equivalent DSA/RSA keys for the same security. These have become fairly common in crypto libraries, and is generally recommended over things like RSA these days. Following the suggestions in this guide, I chose to generate an Ed25519 key.
I also followed some of the best practices here and did the following:
- I use the main key just for certification, with a 10-year expiration.
- I generated two subkeys, one for signing and one for encryption, with 2-year expirations.
- I created a revocation certificate just in case.
The expiration dates are probably a bit longer than suggested, but a 10 year primary key is probably good enough for my considering I may never use it, and unless there is a sudden, unexpected problem with Ed25519, it should be safe for that long, at which point I can reassess. Keeping my primary key entirely offline is something I probably won’t do: I’ve done offline roots for PKI before, but that was for something more important than my personal GPG key!
So if anybody ever needs to communicate with me in a secure way, you now have my updated key. Drop me a message if you feel like it!