[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Updating GPG howto (http://keyring.debian.org/creating-key.html)

On Tue, Apr 05, 2011 at 05:15:15PM +0200, Vincent Caron wrote:
>   2/ It is suggested to update gnupg.conf with:
>   personal-digest-preferences SHA256
>   cert-digest-algo SHA256
>   default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
>   Is it still needed with GnuPG 1.4.11 ?

This isn't strictly needed with any version of GnuPG.  However, these
settings choose algorithms which are known to be stronger (avoiding MD5
and the mandatory but somewhat weakened SHA1).  Setting
default-preference-list specifies which algorithms you prefer in your
key's self-signature (which you can always change later).
Implementations are forbidden from using algorithms (other than the
default must-implement ones) that you do not specify in your
self-signature.  Using cert-digest-algo chooses the algorithm you will
use in signing keys.  And finally, personal-digest-preferences is the
algorithm you will use when signing data.

If you know what you're doing, you can choose the algorithms you prefer
here instead of these.  If you don't, these are fine choices.

>   3/ The -gen-key menu has changed from the tutorial, it is now:
>   Please select what kind of key you want:
>      (1) RSA and RSA (default)
>      (2) DSA and Elgamal
>      (3) DSA (sign only)
>      (4) RSA (sign only)
>   Again Ana's blog has been updated and it looks legal (and a good idea)
> to select the (1) option which also generates an ecnryption key in one
> go. Is that correct ?

Yes.  It creates an RSA main key (used for signing other keys and
possibly data) and an RSA encryption-only subkey.  Some people use a
subkey for signing as well, but that can be generated later.  I
recommend using the largest size possible, which IIRC is 4096 bits.

brian m. carlson / brian with sandals: Houston, Texas, US
+1 832 623 2791 | http://www.crustytoothpaste.net/~bmc | My opinion only
OpenPGP: RSA v4 4096b: 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

Reply to: