Confirmed users
502
edits
Security/Guidelines/Key Management: Difference between revisions
Jump to navigation
Jump to search
Security/Guidelines/Key Management (view source)
Revision as of 21:33, 23 October 2014
, 23 October 2014Filled Gnupg
Gdestuynder (talk | contribs) (Filled Gnupg) |
|||
| Line 140: | Line 140: | ||
== PGP/GnuPG == | == PGP/GnuPG == | ||
<source code="bash"> | |||
$ gpg --gen-key | |||
(1) RSA and RSA (default) | |||
[...] | |||
Your selection? 1 | |||
[...] | |||
What keysize do you want? (2048) | |||
[...] | |||
Key is valid for? (0) 2y | |||
[...] | |||
</source> | |||
== Choice of algorithm === | |||
* Do not use DSA keys. These use a deprecated 160 bits SHA1 hash (see http://csrc.nist.gov/groups/ST/hash/statement.html, http://lwn.net/Articles/337745/, http://lists.gnupg.org/pipermail/gnupg-users/2009-May/036415.html). | |||
* DSA2 keys are only supported by specific PGP implementations. | |||
* ECDSA keys are more and more common, albeit will not work on older systems/software. | |||
* RSA keys work everywhere. | |||
=== GnuPG settings === | |||
By default, GnuPG may use deprecated hashing algorithms such as SHA1 when used for signing. These settings ensure a more modern selection of hashing algorithms. | |||
File: ~/.gnupg/gpg.conf | |||
<source> | |||
personal-digest-preferences SHA256 | |||
cert-digest-algo SHA256 | |||
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed | |||
</source> | |||
= Definitions = | = Definitions = | ||