Posts Tagged "gpg"

Yet again, it has come time to rotate my PGP/GnuPG private key. My old key (1ED5E5A301C3D109904022893C7775DD37811E62) actually expired a couple of weeks ago, and I've been procrastinating writing up this transition. The new key is 0xC6496DEB3DA8E9B5 (full fingerprint: 24F8AA354990F3F562EC014BC6496DEB3DA8E9B5) You can also find it at https://files.roguelazer.com/roguelazer.gpg. It has also been attached to my keybase.io account¹ and my Github profile. It is cross-signed by the old key.

My signed transition document is below, and can also be found at 2022-05-28-key-transition-statement.txt.asc if you prefer to download it directly.

My current PGP/GnuPG key is expiring, so I've rolled a new one. The ID of the new key is 0x3C7775DD37811E62 (full fingerprint: 1ED5 E5A3 01C3 D109 9040 2289 3C77 75DD 3781 1E62) and it should be in your favorite keyservers, cross-signed by my old key. You can also find it at https://files.roguelazer.com/roguelazer.gpg. It has also been attached to my keybase.io account and my Github profile. My previous key (0xAEE8F2454A41B87D) has not been revoked and has not been compromised, but you should still stop using it if possible. The new key is a 4096-bit RSA key with SHA-2 digest signatures — I'm not quite bold enough to switch to ECC for a long-lived key yet.

My signed transition document is below, and can also be found at 2019-04-27-key-transition-statement.txt.asc if you prefer to download it directly.

Additionally, I have generated a separately-signed key with ID 0x233E5EAF0EC3ABA9 (full fingerprint: 14E8 9660 188D BC9B 2C17 67AA 233E 5EAF 0EC3 ABA9). This key should not be used for communication, but will only be used to sign VCS commits/tags/&c (in Git and perhaps in Pijul¹). It's going to be on my [managed] work computer², so treat it with a grain of salt.

In light of all of the hullabaloo about PRISM and other spying technology, I thought it'd be good to remind all of your dear readers that we've had the technology to ensure private communications on the Internet for 22 years in the form of Pretty Good Privacy (and the much-more-commonly-used implementation, GnuPG). Ars Technica had an okay article about e-mail encryption with PGP which I recommend reading, although you should keep in mind that most security professionals would consider infrastructural PKI like SSL and S/MIME to be compromised by nation-state-level adversaries (and all associated MIC contractors).

Anyhow, my GPG …

As you may have seen around the Internet, there was a fairly significant break in the SHA-1 hash function, which is used by default in GnuPG. This is worrisome, since GPG/PGP signatures are one of the only things I'd actually trust to verify somebody's identity online. So I've generated a new key with a 2048-bit RSA primary (for SHA256 and SHA512 support) and a 4096-bit ElGamal encrypting key (which took about 15 minutes to generate, so better be worth it). The key ID is CB8AA0FF, and the fingerprint is 5C35 D713 3E10 9A19 FFFC F58A 68E8 3B57 CB8A A0FF …