GPG Best Practice

19/03/2019 - Ted

GPG default settings need a bit of adjustment to use the recommended hashing and encryption algorithms.

Use RSA with 4096 bits or EC key. Transitioning from one key to another can be done with a transition statement signed by old and new keys (the new key might not really be needed in that signing? What benefit does it provide?)

Edit or create the gpg.conf file and add this towards the end:

# As per recommended on https://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
 
# As per recommended on https://riseup.net/en/security/message-security/openpgp/best-practices
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/home/elc/.gnupg/sks-keyservers.netCA.pem
 
# When creating a key, individuals may designate a specific keyserver to use to pull their keys from. It is recommended that you use the following option to ~/.gnupg/gpg.conf, which will ignore such designations:
keyserver-options no-honor-keyserver-url

If you have an existing key, it can be edited to change the preferences on it. See here that these options may be better than others. They are including CAMELLIA algos in the 2nd one. Is that better?

$ gpg --edit-key 'fingerprint'
gpg> showpref
...
gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
gpg> setpref AES256 CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 TWOFISH CAST5 3DES SHA512 SHA384 SHA256 SHA224 SHA1 RIPEMD160 ZLIB BZIP2 ZIP Uncompressed
gpg> save

Your key should be valid for no more than 2 years. That is, every year, increase the expiry time by up to two years. I have been doing so with 395 days; 1 year and 1 month.

$ gpg --edit-key 'fingerprint'
gpg> expire
gpg> 395
gpg> key 1
gpg> expire
gpg> 395
gpg> save

@todo - Debian maintainers keep a separate sub-key(s) pair which are used instead of the master key pair. Is this an ideal situation? The master key is kept offline for majority of the time, with a different password to protect it.

Reference:
https://wiki.debian.org/Subkeys
https://wiki.debian.org/Keysigning
https://riseup.net/en/security/message-security/openpgp/best-practices
https://ekaia.org/blog/2009/05/10/creating-new-gpgkey/
https://futureboy.us/pgp.html

Tags: