Switching keys in GnuPG without losing encrypted files

1

I have an 10-year-old GnuPG key that's 1024-bit DSA. I don't use it much for signing emails, but I use it a lot for encrypting files.

I would like to (I assume) revoke this key and create a new 4096- or 8192-bit RSA key. However, I need to ensure that I do not lose any of the files that are currently encrypted with my old key. I presume this means that I will still have a copy of my old private key, somehow marked "revoked" so it won't be used for anything new, and a new private key with the same full name and email address which would be used by default for encrypting files in the future.

Is this a safe and standard and supported plan? Is there anything I need to know before boldly charging forward (other than "have a couple of good backups")?

hymie

Posted 2015-09-03T11:08:21.040

Reputation: 1 011

Answers

2

Revoking does not prevent you from using it for decryption, but will disable using it for signing unless enforcing its use anyway. The same applies to others that want to encrypt files for you. Revocation does not destroy the private key in any sense, but simply adds a revocation signature ( a kind of annotation to the key) not to use it any more, including a reason if you add one (like key is superseeded).

Before revoking your key, consider adding a signature for your newly created one, as a hint for others you switched keys.

Jens Erat

Posted 2015-09-03T11:08:21.040

Reputation: 14 141

Asked: 2015-09-03T11:08:21.040

Viewed: 63 times

Active: 2015-09-03T11:53:25.247