Created
November 29, 2022 01:37
-
-
Save kytta/781b7d0f9cf45d75c73f6b9746e86abb to your computer and use it in GitHub Desktop.
The 2022 OpenPGP key transition
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Title: The 2022 OpenPGP key transition | |
| Author: Nikita Karamov | |
| Date: 29 Nov 2022 | |
| What follows is a quite long explanation as to what happened to my OpenPGP keys. | |
| TL;DR: Do not use these RSA keys any more: | |
| - 0xF0A49E6D84E6EEBE | |
| - 0x3C8E688C96EEB9C9 | |
| - 0xB3F5AD70F57CA4F7 | |
| - 0x53F9AEE567559D7D | |
| Instead, use these Ed25519 keys: | |
| - 0xD397E9BE9E6898FA | |
| - 0x41D6F71EE78E77CD | |
| - 0x00786CB1291515C4 | |
| - 0x11A76086EB521F14 | |
| On 26 Nov 2022, I have decided to set up a new OpenPGP key. I wanted to stop | |
| using RSA keys in favour of the ECC (elliptic-curve cryptography) keys. As such, | |
| I have created a new certifying key and three subkeys. Then, I have signed this | |
| new key with my old one. Fingerprints of both keys are in the Appendix A. | |
| The next step would be to transfer my new keys onto my security token. This | |
| would overwrite my old subkeys. I was sure I've had a backup of the old subkeys, | |
| so I transferred the new keys onto the token. | |
| As it turns out, my backup was bad this whole time, as I apparently had done it | |
| after I'd moved the keys to the token. As a result, my backup contained just | |
| the key stubs. So, I don't have the old subkeys any more, only the master key. | |
| I have created two new subkeys for the time being. | |
| I have lost access to my old subkeys and thus to some files and many emails. | |
| While I try to recover some of the stuff, please, DO NOT USE MY OLD KEY for | |
| anything; it is not safe to use any more. It will continue to be valid until | |
| 01 Jan 2022; I have updated its expiry dates accordingly. | |
| To certify the transition, I have signed this using the new key and the new | |
| subkey of the old key. Verification instructions are in the Appendix B. | |
| Please let me know if you have any questions, or problems. I apologize for the | |
| inconvenience. | |
| Nikita Karamov <me@kytta.dev> | |
| APPENDIX A: Key fingerprints | |
| The old key: | |
| pub rsa4096/0xF0A49E6D84E6EEBE 2021-07-11 [C] [expires: 2023-01-01] | |
| Key fingerprint = D836 4910 9830 AF99 BD41 C9D2 F0A4 9E6D 84E6 EEBE | |
| uid [........] Nikita Karamov <me@kytta.dev> | |
| uid [........] Nikita Karamov <nick@karamoff.dev> | |
| uid [........] Nikita Karamov <n.karamov@tu-braunschweig.de> | |
| uid [........] Nikita Karamov <n.karamov@tu-bs.de> | |
| sub rsa4096/0x3C8E688C96EEB9C9 2022-01-07 [S] [expires: 2023-01-01] | |
| sub rsa4096/0xB3F5AD70F57CA4F7 2022-01-07 [E] [expires: 2023-01-01] | |
| sub rsa4096/0x53F9AEE567559D7D 2022-01-07 [A] [expires: 2023-01-01] | |
| sub rsa4096/0xB84D903FECA631F3 2022-11-26 [E] [expires: 2023-01-01] | |
| sub rsa4096/0x49F8D4AF3463093F 2022-11-28 [S] [expires: 2023-01-01] | |
| The new key: | |
| pub ed25519/0xD397E9BE9E6898FA 2022-11-26 [C] | |
| Key fingerprint = AF6C 280C 2A34 D3F3 9BED 9366 D397 E9BE 9E68 98FA | |
| uid [........] Nikita Karamov <me@kytta.dev> | |
| uid [........] Nikita Karamov <n.karamov@tu-braunschweig.de> | |
| uid [........] Nikita Karamov <n.karamov@tu-bs.de> | |
| uid [........] Nikita Karamov <nikita@secure.mailbox.org> | |
| sub ed25519/0x41D6F71EE78E77CD 2022-11-26 [S] [expires: 2023-11-26] | |
| sub cv25519/0x00786CB1291515C4 2022-11-26 [E] [expires: 2023-11-26] | |
| sub ed25519/0x11A76086EB521F14 2022-11-26 [A] [expires: 2023-11-26] | |
| APPENDIX B: How to verify the keys and this message | |
| To fetch my old and new OpenPGP keys, execute: | |
| gpg --keyserver keys.openpgp.org --recv-key 0xF0A49E6D84E6EEBE | |
| gpg --keyserver keys.openpgp.org --recv-key 0xD397E9BE9E6898FA | |
| Verify that the new key is signed by the old one: | |
| gpg --check-sigs 0xD397E9BE9E6898FA | |
| For extra security, you can compare the fingerprint of the new key with | |
| the one in the Appendix A: | |
| gpg --fingerprint 0xD397E9BE9E6898FA | |
| Verify that this message is signed using the valid keys: | |
| gpg --verify 2022-11-29-openpgp_key_transition.txt{.sig,} | |
| Delete my old key: | |
| gpg --delete-keys 0xF0A49E6D84E6EEBE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -----BEGIN PGP SIGNATURE----- | |
| iHUEABYKAB0WIQSQVD0NZ+iFgsvWSvlB1vce5453zQUCY4VhpgAKCRBB1vce5453 | |
| zR78AQChRfqCSRMj+xOjfzwMtVW5S/drdxchMM9ikYvOifxMmwD/UOhb2pJFZz8/ | |
| PdLt4XkVf3rDcQ7D12VyasWMRVvCaAs= | |
| =vexI | |
| -----END PGP SIGNATURE----- | |
| -----BEGIN PGP SIGNATURE----- | |
| iQIzBAABAgAdFiEEgrFKIAnifDLFAbATSfjUrzRjCT8FAmOFYccACgkQSfjUrzRj | |
| CT910A//TW4Eptuc9uocipPmoc0VLZrKilCEoqTfTNKrXTBmCA1Vif+1TAaUY/yt | |
| /ol53oFtrPd7tZ/pPKrBVP1ftmwtGKKlOAs2ll0JJCnkrXVkXyMCBEPMf8jtRXjq | |
| ZQrssiG0Z9A++K6MzWs/vrR0xwW2/a2jsuTIfUjrioH8oIwo9MsduDignENo7w4r | |
| QfkYBSChI88jW+QvljiF2JDdXR+Ei11hQzQoemaNZin7phQQ/6l4Gbe2uRTJab20 | |
| X1aAI3dagUhy/rsK6YO58fIcS8sge/097odMixuPWvDrZ7LTqrtT7Hbt47Zhf6nf | |
| 3CgUH12kMNoOELGwU7yWXxrejpri+trh3/amVx75ASpvxhwjpLncYVBev4HARji8 | |
| 0jJHpBSRqNJRJqjVjk+YcSV3C7HakNqydRVBDPo2170hIuajXI0sE0Z/MeAnb3my | |
| sXv4awdaz8o/Zz8sZoWLbAyadndmRSvsn8z4LN2OCYHpjV7AXxwn80B7q52HxGEX | |
| FBxPfLnT9nDnZweSiI3i43Dl8FneKR7+3QC0D3kmdNoDpXcJh26rZfpUAUthd15T | |
| CVtJdZ3LHtLXP6T/w4yygXoYBL2XHklVDZ1uZMyFkmZZcycTNSf4svWxbvx0wjaZ | |
| KgnuEDAz4KoidzGU2o/V918oIjPSgp/cJ2hTctONxcR4lU8kGE0= | |
| =RsC0 | |
| -----END PGP SIGNATURE----- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment