If you do expire the key, you need a plan to update and rotate keys before the expiration. If you don't expire the key, it is never automatically revoked even if the private key is compromised. For signing keys, I think about the expected lifetime of the objects I am signing. Notice the default is "does not expire." I usually go with years for an email key. Then consider your security habits as well. Please specify how long the key should be valid.Ĭheck company policies for how long the key should be valid. The Fedora and Red Hat security keys we imported in the last article are both 4096 in length. Longer is not always better, but I would definitely go with 2048 or 4096. Unless you have a company policy that specifies otherwise, choose the default of RSA and RSA for your multi-use or email exchange key pair. The first question is what kind of key algorithm you want. Let's describe the options on the full generate option: $ gpg -full-generate-key The quick and full generate options can also be used in a batch mode as documented in the man page.
0 Comments
Leave a Reply. |