... | ... | @@ -14,10 +14,20 @@ |
|
|
cert-digest-algo SHA512
|
|
|
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
|
|
|
```
|
|
|
- Use a future proof algorithm when generating the key pair
|
|
|
- Use a future proof algorithm when generating the key pairsq-keyring-linter
|
|
|
- RSA >= 4096 bit
|
|
|
- ECC Curve25519
|
|
|
|
|
|
# Validating a key pair
|
|
|
- Use `sq-keyring-linter` from the `sequoia-keyring-linte`r package to perform basic certificate checks like certain SHA-1 usage:
|
|
|
```sh
|
|
|
sq-keyring-linter <(gpg --export "${FULL_PGP_FINGERPRINT}")
|
|
|
```
|
|
|
- Use `hokey lint` from the `hopenpgp-tools` package to pretty print the whole key and perform checks for best practices. Observe the output for colored warnings or errors.
|
|
|
```sh
|
|
|
hkt export-pubkeys "${FULL_PGP_FINGERPRINT}" --keyring ~/.gnupg/pubring.gpg | hokey lint
|
|
|
```
|
|
|
|
|
|
# Revocation Certificate Holder
|
|
|
- Do not store the revocation certificate on a live system
|
|
|
- Backup of the revocation certificate on at least one encrypted offline storage medium
|
... | ... | |