Transitioning to a new more secure GnuPG key

I am transitioning GnuPG keys from an old 1024-bit key to a new 4096-bit key, because 1024 bit are uncomfortably close to what can be cracked. The old key will continue to be valid for some time, but I prefer all new correspondence to be encrypted in the new key, and will be making all signatures going forward with the new key.

If you have signed my old key, I would appreciate signatures on my new key as well, provided that your signing policy permits that without re-authenticating me.

The old key, which I am transitional away from, is:

pub   1024D/0x5647280A274D4F97 2007-11-27 [expires: 2014-09-30]
    Key fingerprint = 14DE 735E 198A 7419 FE51  D833 5647 280A 274D 4F97

The new key, to which I am transitioning, is:

pub   4096R/0x74DCA8A36C52F833 2014-03-30
    Key fingerprint = 7251 9DA2 D8BD 6F38 D4A1  199E 74DC A8A3 6C52 F833

To fetch the full new key, download it here or fetch it from a public key server using GnuPG by running:

gpg --keyserver pool.sks-keyservers.net --recv-key 0x74DCA8A36C52F833

If you have already validated my old key, you can then validate that the new key is signed by my old key:

gpg --check-sigs 0x74DCA8A36C52F833

This transition document is signed with both keys to validate the transition. If you want to verify the authenticity of the transition document yourself, run the following command on the file:

gpg --verify transition-2014-03.txt

If you then want to sign my new key, a simple and safe way to do that is by using caff (shipped in Debian as part of the “signing-party” package) as follows:

caff 0x74DCA8A36C52F833

Please contact me via e-mail if you have any questions about this transition. If you want to transition to a new key as well, you might find this guide helpful.

Comments are closed.