So it’s time to think of your GPG keys again.
Note: I’ve used the wayback machine for the links, because even in my own notes some of the sites I used have since gone offline.
General GPG Cheat Sheet (gock.net 2020)
First off, go ahead and generate a revocation for your current key that you keep in a password wallet. It’s like a burn-letter that if you ever did lose your secret-key or needed to burn your existing key, you can push it. But it requires the secret-key to generate it, so that users and keyservers trust it.
Then when you’re ready to generate a new key, do so, and explicitly “trust” the new from the old, and old from the new, and push that to the keyservers. This is part of the “web of trust” (that really no one pays attention too). Once you have that relationship. You can leave the old key to expire, but really you ought to push the revocation for it (because if someone got the secret-key, they could just bump the expiration date and go nuts with it). Then resume with this new key. If users actually challenged the fact that your key changed, you could point to the handoff.
Guide used:
generate a root key that you put on a physical hardware key like a yubikey, and then subkeys from it that you work from.
This is the approach I’m currently trying, and honestly it’s overkill and I’m ready to step it down a notch.
Guides used:
if you still have possession of the secret key, you can actually just set a new expiration date … 😁
Which GPG guide do you like?
email me (vbatts at hashbangbash.com)