... | ... | @@ -6,7 +6,14 @@ |
|
|
- Must be exclusive (not used for regular user data backups etc.)
|
|
|
|
|
|
# Generating a new key pair
|
|
|
- Use a live medium (e.g. the installation medium) on a machine that is not connected to the network
|
|
|
- Use a live medium (e.g. [the installation medium](https://gitlab.archlinux.org/archlinux/archiso)) on a machine that is not connected to the network
|
|
|
- When not using [archiso](https://gitlab.archlinux.org/archlinux/archiso), verify that the version of GnuPG available to you is recent enough by running `gpg --version`. It should be [at least version 2.1.0](https://gnupg.org/download/release_notes.html#sec-1-23) to avoid using the SHA-1 algorithm for signatures, which is no longer considered to be secure. If in doubt, add the following options to `.gnupg/gpg.conf` to force using SHA-512 for digests and avoid all uses of deprecated algorithms such as MD5 or SHA-1:
|
|
|
|
|
|
```
|
|
|
personal-digest-preferences SHA512
|
|
|
cert-digest-algo SHA512
|
|
|
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
|
|
|
```
|
|
|
- Use a future proof algorithm when generating the key pair
|
|
|
- RSA >= 4096 bit
|
|
|
- ECC Curve25519
|
... | ... | |