title: A new GPG key author: John Lenz tags: gpg date: September 17, 2012
A2A6 3C06 35F7 0E95 3470 25F5 29C5 C3D9 18E3 6459
My original gpg key was generated in 2006 and is a 1024 bit DSA key. The main reason for updating is that my old key preferred SHA1 as the digest, and SHA1 is now broken enough to not be recommended anymore: see this NIST statement from 2004 plus wikipedia for recent breakages. There is some debate if the recent progress towards achieving a collision are practical or not, and the breakage would not allow attackers to create arbitrary signatures. But with hash functions such as SHA256 standardized and sitting right there without these uncertianties, organizations like NIST and NSA recommend against SHA-1. You can check the list of preferred hash functions using showprefs. The following is from my old key, you can see SHA1 as the preferred digest.
# gpg --edit-key <keyid> gpg> showprefs ... Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA1, SHA256, RIPEMD160 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify ...
So I decided it was time to generate a new GPG key using SHA256 as the preferred digest. While I was generating a new key, I increased the key length to 2048 bits and generated an RSA key instead. RSA is the default for gpg now, I am not sure why but I decided to stick with the default.
If you upgrade your own key, make sure to put the following entries into ~/.gnupg/gpg.conf
personal-digest-preferences SHA256 cert-digest-algo SHA256 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed