After 8 years, I’ve decided to transition from my original GPG key and replace it with one that uses a stronger master key that meets NIST guidelines.

Over 8 years ago–probably while lounging in my tiny dorm room in engineering school–I decided that I wanted the ability to communicate with my friends & family privately. I decided that I wanted the ability to encrypt my emails. I decided to generate a gpg key.

In 2009–4 years before Edward Snowden unveiled that the US government was violating their own constitution by collecting & storing the internet activity of hundreds of millions of innocent US citizens–I generated & published my first gpg keypair. Since those teenage years, I graduated college with degrees in Computer Science and Secure Computing & Networking, worked for major tech firms, and begun working for the best independent journalism outlet in the US–Democracy Now!

Though my colleagues, friends, & family infrequently used my gpg key in the past (don’t tell the NSA!), I finally work with a great team of people that take security seriously, and I’m using gpg to sign & encrypt my daily work emails.

Unfortunately, my original master key was generated using gpg’s defaults at the time–which used the Digital Signature Algorithm (DSA) with a 1024-bit key. This became “Disallowed” by NIST in November 2011.

So today I release my new RSA 4096-bit gpg key to the world & publish the following “GPG Key Transition Statement” — which is cryptographically signed with both my old key & my new key.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512,SHA1

Date: 2017-10-01

I have recently set up a new OpenPGP key & will be transitioning away from my 
old one.

The old key will continue to be valid for some time, but I prefer all future 
correspondence to come to the new one. I would also like this new key to be 
re-integrated into the web of trust.  This message is signed by both keys to 
certify the transition.

The old key was:

pub   dsa1024/0x1EF168D268C40535 2009-01-21 [SC] [expires: 2017-10-10]
      Key fingerprint = B162 9E1F 1737 EC4F 74C9  E923 1EF1 68D2 68C4 0535

And the new key is:

pub   rsa4096/0xFE1B84494E640D41 2017-09-30 [SC] [expires: 2018-10-01]
      Key fingerprint = 0465 E42F 7120 6785 E972  644C FE1B 8449 4E64 0D41

To fetch the full key from a public key server, you can simply do:

  gpg --keyserver pool.sks-keyservers.net --recv-key '0465 E42F 7120 6785 E972  644C FE1B 8449 4E64 0D41'

If you already know my old key, you can now verify that the new key is
signed by the old one:

  gpg --check-sigs '0465 E42F 7120 6785 E972  644C FE1B 8449 4E64 0D41'

If you don't already know my old key, or you just want to be double
extra paranoid, you can check the fingerprint against the one above:

  gpg --fingerprint '0465 E42F 7120 6785 E972  644C FE1B 8449 4E64 0D41'

If you are satisfied that you've got the right key, and the UIDs match what you 
expect, I'd appreciate it if you would sign my key. You can do that by issuing 
the following command:

  gpg --sign-key '0465 E42F 7120 6785 E972  644C FE1B 8449 4E64 0D41'

Note: My key should have at least two UIDs:

  [1] An ephemeral email address. This is where I actually send & receive mail, 
but it changes on occasion (ie: due to spam, service shutdown, distrust in 
provider, etc).

  [2] My permanent email address is michael@michaelaltfield.net. Even if this 
account is ignored (ie: due to spam), this is the email address associated with 
my permanent UID tied to my gpg key. Therefore, if you only want to sign one 
UID, please sign this one.

I'd like to receive your signatures on my key. After signing my key, please 
send me an email with my public key attached. You can export my public key that 
was signed by you by issuing the following command:

  gpg -a --export '0465 E42F 7120 6785 E972  644C FE1B 8449 4E64 0D41' > pubkey.asc

Additionally, I highly recommend that you implement a mechanism to keep your 
key material up-to-date so that you obtain the latest revocations, and other 
updates in a timely manner.

I also highly recommend checking out:

 * https://riseup.net/openpgp/best-practices

Please let me know if you have any questions, or problems, and sorry
for the inconvenience.


Cheers,
Michael Altfield
https://www.michaelaltfield.net
PGP Fingerprint: 0465 E42F 7120 6785 E972  644C FE1B 8449 4E64 0D41

Note: If you cannot reach me via email, please check to see if I have changed 
my email address by visiting my website at https://email.michaelaltfield.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJZ0ZfFAAoJEP4bhElOZA1BQVEQAKDsaIjh+TvVXPPcHnof1iwX
tlHENdFfw2Zote2yAE/LJq93EYRIT120SRBOorLLXDWVU1xlhEoq5S4jUre0hrbe
M5rrHPCPGuS6gI0fa69q7S2z5Dugv2VThEr8hlzHjW1BEJXKrFglsMDcii3H2gFX
7CWsasuYJn7pnRSx87V8MTcF8FVst6ICZiviTA5IRD9GaxT+PIzQ3oxSC3VQnmvg
jzeeu7soXF0SeZkMLn8IPqIRe/grXNyo08kUvgqoeJgU216kAeg/ZpBSJzxH/fu4
HTX3RRHIoKfoISQCerjaprtcbxpt6xgU5SEW0hJehAfxo1G6ZQ+UyQtZ/GaLYPbd
CxQtbTIdcAjT4w+MzcMBJwTjKdWv2oYrqgdSWpYJZlaqC5FYTHNFkuDfiUAGTz8g
/KQGmgVX74IgqWd8+BUc3YwMfvFBUif1CaseDP5ZbuCXqOtHRydXw0SLT9InT8f3
gSrniHSrT5kT4s8qCn0z3xdJrpYgFN3wzEj/sR/afmdDbdp6qq1r+t/BYWkd15YQ
BoY+LSykBekGL63U+3BgzAiK+4q7L7cPwbJ3R5h2/5Sf1IVyReHN2gnbC1Myx5HO
5ZEOK5mQoi1ei1lfsFVNLMHVHOk0LQP3HK20AHodftppjKcA5cK1zg4nOpQKmSIq
o8l0fDsu7omZITYe5qZgiEYEARECAAYFAlnRl8oACgkQHvFo0mjEBTXgXQCgmyKz
dNyl8xDaKSFB9ND2UgRMOnYAn1DPJRSL2pC8iKmWR2b36vic05Er
=I17T
-----END PGP SIGNATURE-----

My current PGP Public Key can be downloaded here:

• https://email.michaelaltfield.net/pgp/pubkey.asc

It is also available from most keyservers:

• https://keyserver.ubuntu.com
• https://keys.openpgp.org/

Related Resources

1. https://riseup.net/en/security/message-security/openpgp/key-transition
2. https://riseup.net/en/gpg-best-practices
3. http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/

Michael Altfield

Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡

About Michael