0

What key curation can be applied to a personal gpg keypair over a period of time (e.g. 10 years) if I also want to use the keypair for professional use? What are the measures that I need to take to protect my keys? What are the risks that I may have to mitigate?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Thinker
  • 1
  • *opinion 1*: Use subkeys separated from the main key... keep the main key off line and undistributed... make a backup [paperkey](https://www.jabberwocky.com/software/paperkey/) of the main key. And keep the paperkey in a safe somewhere. *Risks* : loss of passphrase, loss of key material, compromise of main key, sunset of main key algorithm... etc... – RubberStamp Dec 26 '18 at 15:12
  • I agree with you, but is there any difference in curation of keys if the key expiration date changes ? for example at first i will consider key expiration for 10 years next is in 15 years so the curation remains same isn't ? – Thinker Dec 26 '18 at 15:17
  • I'm not sure I understand what you mean by "key curation"... please add more detail regarding your key management plan... – RubberStamp Dec 27 '18 at 14:46
  • how to safe guard gpg private key for many years – Thinker Dec 27 '18 at 16:29
  • You've made a distinction between 10 or 15 years... so... no, there's no difference in methods of safe guarding cryptographic material for 15 years versus 10 years. I highly recommend paperkey for long term storage of key material. And, I would recommend the use of *Curve25519 / ED25519* keys ... however, your question is quite broad and the answer truly depends on which attacks you expect to protect your keys from... There are many Q/As regarding the aging of key material... [Here's a good one](https://security.stackexchange.com/questions/90077/ssh-key-ed25519-vs-rsa) – RubberStamp Dec 27 '18 at 16:38
  • Please note that if you want to create a Curve25519 / ED25519 keypair with the latest versions of GPG as of this writing you'll need to use the`--expert` option ... like this: `gpg --expert --full-gen-key` – RubberStamp Dec 27 '18 at 16:40
  • That is new information for me, many thanks, also is there any difference using --full-gen-key and --gen-key – Thinker Dec 28 '18 at 16:30
  • `--gen-key` uses the default parameters... `--full-gen-key` allows entry of options via menu prompts... `--expert --full-gen-key` gives neat options like creation of ECC/ECC keys and selecting NIST or 25519 or Brainpool curves. – RubberStamp Dec 28 '18 at 22:23

0 Answers0