_ _ _____ _ ___ _____ _ _ / / / / ____/ / / _/_ __/ / / / / /_/ / __/ / / / / / / / /_/ / / __ / /___/ /____/ / / / / __ / /_/ /_/_____/_____/___/ /_/ /_/ /_/ Helith - 0815 -------------------------------------------------------------------------------- Author : Rembrandt Date : 2009-01-02 Title : Creating more secure GnuPG keys Type : Information 1. Introduction GnuPG is used to encrypt or/and sign e-Mails. Nothing I descripe here is new and everything is documented. This is just a quick reference how to do serval things with GnuPG. And I wrote it down because it simply nerved to read the manpage serval times after some time passed because I forgot a option. 2. How to create a RSA/ElGamal-Key or an RSA/RSA-Key (aka 4096/4096) To make this HowTo short I won't spend much time explaining the basics of GnuPG which should be known. I simply got demotivated by reading the manpage just because I wanted to create other keypairs then those provided as defaults. If you create a normal keypair you will mostly get a DSA/ElGamal keypair if you do not choose a RSA one. A normal DSA/ElGamal keypair is 1024/4096 Bit strong. The ElGamal bitlenght is variable but DSA is limited to 1024 Bit by its specification. DSA (1024Bit FIPS-180-1) is used to sign your messages and ElGamal is used to encrypt the messages. The problem with DSA is the limitation to 1024Bit and propably also that it was invented by the NSA. Also FIPS-180-3 is not yet approved (even new GnuPG versions do support it) so I will not talk about DSA keys with 2048 or 3072 bit. I personaly recomment a RSA/ElGamal combination. The mathematical concepts underlaying Elgamal are different from those RSA base upon. If you choose a RSA/RSA combination all your trust belongs to the mathematical princip this algorithm belongs to. This means if the mathematical problem of RSA was solved some day your digital signatures can be faked or the message could get completly decrypted. So how do you create other Kay-Pairs then those provided by GnuPG defaults? Both Methods provide a 4096/4096 Bit Keypair (compared to 1024/4096 wich is the default). Because I like to keep this HowTo small just type the following commands at your shell. > is your UNIX shell (input) < is your UNIX shell (output) -> is GnuPGs own shell (interactive mode) > gpg --gen-key -> 5 -> $bitsize (4096Bit should be used) -> $further options (if you ever created a gpg key this should be no problem) After GnuPG finished the creation the ID of the key gets printed to the screen. < gpg: key 9D334724 marked as ultimately trusted < public and secret key created and signed. > gpg --edit-key &KEY-ID -> addkey -> 4 (ElGamal [4] or RSA [6]) -> $bitsize (4096Bit should be used) -> quit -> y To check the results use gpg --list-keys &KEYID ------------------------------- pub 4096R/0D09C0CC 2006-05-09 uid Rembrandt sub 4096g/4FE5EE5F 2006-05-09 ------------------------------- As you can see we generated a 4096/4096 Bit Keypair (I choosed RSA/ElGamal). I will extend this HowTo soon to add preferences for Hashalgorithms and other things I consider usefull. 3. Setting further options to enhance the security Well again get into the interactive mode of GnuPG > gpg --edit-key &KEY-ID -> showpref (this shows your current settings aka preferences) -> setpref S10 S9 S8 S7 S4 S2 H10 H9 H8 H2 H3 Z2 Z1 (take a look at the list below to get some clarity about what was entered) -> updpref -> save With the tables below you should be able to set your own preferences. Symetric algorithms: 0 clear text (none) 1 IDEA 128 bit 2 3DES 3 CAST5 128 bit 4 BLOWFISH 128 bit 5 reserved 6 reserved 7 AES 128 bit 8 AES 192 bit 9 AES 256 bit 10 TWOFISH 256 bit 100-110 reserved for experimental algorithms Hashing algorithms: 1 MD5 2 SHA1 3 RIPE-MD 160 bit 4 reserved 5 reserved 6 reserved 7 reserved 8 SHA 256 bit 9 SHA 384 bit 10 SHA 512 bit 100-110 reserved for experimental algorithms Compression algorithms: 0 uncompressed (none) 1 ZIP (RDC 1951) 2 ZLIB (RFC 1950) 3 BZIP2 (bz2) 100-110 reserved for experimental algorithms You can enforce your preferences or respect the preferences of others because not every OpenPGP-compatible product may supports all algorithms. Take a look at the manual and look for those values wich you can enter into your GnuPG configuration file. personal-cipher-preferences personal-digest-preferences personal-compress-preferences I will extend this HowTo some day to add things I consider usefull. Kind regards, Rembrandt