Generating a new GnuPG Key

I have recently started to become much more involved in the Debian project, maintaining my own package (ulogd2) and doing a pair of uploads to other packages. Debian uses GPG / OpenPGP keys widely for signing the archive, authenticating uploads by developers and so on, so I needed a secure GPG key that I could use for my interactions with Debian.

I have had a key for some time now which has been signed by a handful peopleand thus reasonably well trustedbut I hadn’t taken the best care to keep it secure. I have no reason the believe the key has been compromised at all, but the fact is that I copied the key around to several of my machines so that I could use it on all of them, and instead of using sub-keys as is common best practice I just copied the whole key across. If someone had managed to take a copy of my key and crack its pass-phrase, I would have no choice but to revoke the entire key. Continue reading