pgpfan:gpgburn
Differences
This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
pgpfan:gpgburn [2021/12/06 02:14] – created b.walzer | pgpfan:gpgburn [2021/12/06 12:10] (current) – Typo. b.walzer | ||
---|---|---|---|
Line 31: | Line 31: | ||
</ | </ | ||
- | Then use the '' | + | Then use the '' |
<code text [highlight_lines_extra=" | <code text [highlight_lines_extra=" | ||
Line 147: | Line 147: | ||
Now export your updated public key (OpenPGP identity) and send it to your correspondents and any appropriate key servers (not shown). At this point you are in the preburning transition phase. You will still be able to decrypt your old messages and any messages from people that have not yet updated your public key in their keyring. You will also be able to decrypt any messages from people that have updated your public key to the new one. If you are not in any hurry there is no reason that this phase can't last months or even years. Messages generated in the transition phase will not be burnt. This would be a good time to look through your old messages for anything that you want to save before burning them. You can probably do this by remailing them to yourself. | Now export your updated public key (OpenPGP identity) and send it to your correspondents and any appropriate key servers (not shown). At this point you are in the preburning transition phase. You will still be able to decrypt your old messages and any messages from people that have not yet updated your public key in their keyring. You will also be able to decrypt any messages from people that have updated your public key to the new one. If you are not in any hurry there is no reason that this phase can't last months or even years. Messages generated in the transition phase will not be burnt. This would be a good time to look through your old messages for anything that you want to save before burning them. You can probably do this by remailing them to yourself. | ||
- | OK, sufficient time has passed, all your correspondents have your new key installed in their keyrings. Thus starts the actual burning. For the demonstration you are going to do a secure delete of the file containing your old encryption subkey. Find the file name using the gpg '' | + | OK, sufficient time has passed, all your correspondents have your new key installed in their keyrings. Thus starts the actual burning. For the demonstration you are going to do a secure delete of the file containing your old encryption subkey. Find the file name using the gpg '' |
<code text [highlight_lines_extra=" | <code text [highlight_lines_extra=" | ||
Line 177: | Line 177: | ||
At this point the burn is complete. The old encryption subkey is now useless in practice as well as usage designation and can be removed. Again edit your key and find the old encryption subkey with the '' | At this point the burn is complete. The old encryption subkey is now useless in practice as well as usage designation and can be removed. Again edit your key and find the old encryption subkey with the '' | ||
- | <code text [highlight_lines_extra=" | + | <code text [highlight_lines_extra=" |
jnoakes:~$ gpg --edit-key jane | jnoakes:~$ gpg --edit-key jane | ||
gpg (GnuPG) 2.2.30; Copyright (C) 2021 Free Software Foundation, Inc. | gpg (GnuPG) 2.2.30; Copyright (C) 2021 Free Software Foundation, Inc. | ||
Line 197: | Line 197: | ||
</ | </ | ||
- | Select it using the '' | + | Select it using the '' |
<code text [highlight_lines_extra=" | <code text [highlight_lines_extra=" | ||
Line 244: | Line 244: | ||
Removing the encryption designation from your old encryption subkey might not be strictly necessary. GnuPG will automatically select the newest encryption subkey. This behaviour is not part of any standard so the removal of the encryption designation is intended as a form of insurance to cover the case where other OpenPGP implementations have different behaviour. | Removing the encryption designation from your old encryption subkey might not be strictly necessary. GnuPG will automatically select the newest encryption subkey. This behaviour is not part of any standard so the removal of the encryption designation is intended as a form of insurance to cover the case where other OpenPGP implementations have different behaviour. | ||
- | There is no point in redistributing your new cleaned up key produced at the end of the demonstration. Importing that key will not result in a change to your current correspondents keyrings or your key already stored on a key server. That is because the OpenPGP practice is to merge subkeys on an import. That eliminates the complexity of a mechanism exclusively under the control of the key owner to delete subkeys. | + | There is no point in redistributing your new cleaned up key produced at the end of the demonstration. Importing that key will not result in a change to your current correspondents keyrings or your key already stored on a key server. Your old encryption key will remain. That is because the OpenPGP practice is to merge subkeys on an import. That eliminates the complexity of a mechanism exclusively under the control of the key owner to delete subkeys. |
Deleting the private key, even with an overwrite as shown here might not be reliable. See [[em: | Deleting the private key, even with an overwrite as shown here might not be reliable. See [[em: | ||
This process is very manual. There are no GnuPG '' | This process is very manual. There are no GnuPG '' | ||
+ | |||
+ | [[pgpfan: | ||
+ | |||
+ | [[em: | ||
+ | |||
pgpfan/gpgburn.1638756867.txt.gz · Last modified: 2021/12/06 02:14 by b.walzer