0

What key curation can be applied to a personal gpg keypair over a period of time (e.g. 10 years) if I also want to use the keypair for professional use? What are the measures that I need to take to protect my keys? What are the risks that I may have to mitigate?

schroeder
  • 129,372
  • 55
  • 299
  • 340
Thinker
  • 1
  • opinion 1: Use subkeys separated from the main key... keep the main key off line and undistributed... make a backup paperkey of the main key. And keep the paperkey in a safe somewhere. Risks : loss of passphrase, loss of key material, compromise of main key, sunset of main key algorithm... etc... – RubberStamp Dec 26 '18 at 15:12
  • I agree with you, but is there any difference in curation of keys if the key expiration date changes ? for example at first i will consider key expiration for 10 years next is in 15 years so the curation remains same isn't ? – Thinker Dec 26 '18 at 15:17
  • I'm not sure I understand what you mean by "key curation"... please add more detail regarding your key management plan... – RubberStamp Dec 27 '18 at 14:46
  • how to safe guard gpg private key for many years – Thinker Dec 27 '18 at 16:29
  • You've made a distinction between 10 or 15 years... so... no, there's no difference in methods of safe guarding cryptographic material for 15 years versus 10 years. I highly recommend paperkey for long term storage of key material. And, I would recommend the use of Curve25519 / ED25519 keys ... however, your question is quite broad and the answer truly depends on which attacks you expect to protect your keys from... There are many Q/As regarding the aging of key material... Here's a good one – RubberStamp Dec 27 '18 at 16:38
  • Please note that if you want to create a Curve25519 / ED25519 keypair with the latest versions of GPG as of this writing you'll need to use the--expert option ... like this: gpg --expert --full-gen-key – RubberStamp Dec 27 '18 at 16:40
  • That is new information for me, many thanks, also is there any difference using --full-gen-key and --gen-key – Thinker Dec 28 '18 at 16:30
  • --gen-key uses the default parameters... --full-gen-key allows entry of options via menu prompts... --expert --full-gen-key gives neat options like creation of ECC/ECC keys and selecting NIST or 25519 or Brainpool curves. – RubberStamp Dec 28 '18 at 22:23

0 Answers0