Ny PGP-nøkkel // New PGP key

Photo of key chain with both physical keys, access card, yubikeys and smartcard

Jeg har laget meg ny krypteringsnøkkel, og vil gå over til å bruke den framover. // I have created a new encryption key, and will transition away from the old one.

Det nye oppsettet innebærer at jeg aldri har de hemmelige nøklene på datamaskinene jeg bruker i det daglige. Nøklene ligger på smartkort, og har bare blitt behandlet på en datamaskin uten tilkobling til internett.

Selv bruker jeg både en Yubikey 4 og et faktisk smartkort.

Jeg har laget en kryptografisk signert bekreftelse på overgangen fra gamle til nye krypteringsnøkler. Den kan sees under og lastes ned her: https://byeskille.no/20180612-key-transition-byeskille7B44C24E6BD4E124-to-byeskilleBA3721AF33FB6D2A-signed.txt

Min nye nøkkel er:

4096R/0xBA3721AF33FB6D2A 2016-05-28
[gyldig til: 2020-06-11]
uid Øyvind Bye Skille <oyvind.bye.skille@nrk.no>
uid Øyvind Bye Skille <oyvind@byeskille.no>
uid Øyvind Bye Skille <oyvind@byeskille.net>

Nøkkelfingeravtrykket er: D901 EA75 C112 A105 2AD9 90B3 BA37 21AF 33FB 6D2A

Nøkkelen kan lastes ned her, på Keybase eller fra en nøkkeltjener.

 

//

 

My new PGP setup involves not having the secret keys on my everyday computers. The keys are stored on smartcards, and have only been on offline computers.

I’m using the Yubikey 4 and an actual smartcard.

I have made a key transition statement to confirm the change of keys. It can be viewed below, or downloaded from here: https://byeskille.no/20180612-key-transition-byeskille7B44C24E6BD4E124-to-byeskilleBA3721AF33FB6D2A-signed.txt

My new key is:

4096R/0xBA3721AF33FB6D2A 2016-05-28
[valid to: 2020-06-11]
uid Øyvind Bye Skille <oyvind.bye.skille@nrk.no>
uid Øyvind Bye Skille <oyvind@byeskille.no>
uid Øyvind Bye Skille <oyvind@byeskille.net>

Fingerprint: D901 EA75 C112 A105 2AD9 90B3 BA37 21AF 33FB 6D2A

The new key can be downloaded here, from Keybase or from a keyserver.

 

Key transition statement:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Date: 2018-06-12

To increase the overall security of my setup, I have started using a new OpenPGP key regularly,
and will be transitioning away from my old one.

I'm transitioning from a more simple setup to a system with master key generated offline,
and where all regular usage is done with subkeys on smartcard.

The old key has not been compromised and will therefore not be revoked.
The old key will expire soon, and I prefer all
future correspondence to come to the new one.

This message is signed by both keys to certify the transition.
I will also introduce the new key to Keybase and other natural places.

The old key was:

pub   4096R0x7B44C24E6BD4E124 2011-06-27
      Key fingerprint = E12F B0A6 293C FEA9 DD83  4A48 7B44 C24E 6BD4 E124

And the new key is:

pub   4096R/0xBA3721AF33FB6D2A 2016-05-28
      Key fingerprint = D901 EA75 C112 A105 2AD9  90B3 BA37 21AF 33FB 6D2A

To fetch the full key from a public key server, you can simply do:

  gpg --keyserver keys.riseup.net --recv-key 'D901EA75C112A1052AD990B3BA3721AF33FB6D2A'

If you already know my old key, you can now verify that the new key is
signed by the old one:

  gpg --check-sigs 'D901EA75C112A1052AD990B3BA3721AF33FB6D2A'

If you don't already know my old key, or you just want to be double
extra paranoid, you can check the fingerprint against the one above:

  gpg --fingerprint 'D901EA75C112A1052AD990B3BA3721AF33FB6D2A'

To verify the integrity of this statement:

  wget -q -O- https://byeskille.no/20180612-key-transition-byeskille7B44C24E6BD4E124-to-byeskilleBA3721AF33FB6D2A-signed.txt | gpg --verify

Please let me know if you have any questions, or problems, and sorry
for the inconvenience.

Øyvind Bye Skille, Oslo 12th of June 2018
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+JAV+kkeNkHWAO+AqObKY8Zj3MwFAlsgJVMACgkQqObKY8Zj
3Mzl0g/+O2TzS7EsSobH20uCg7Vtjq0jz362cxUCDWfKwF94YHPY5m214JwY/zGC
etBkTfXnbReE6V0FyiTEMx8fcMmjqWwLl8lm1K8fXPc+VcyuCa8037PuTaB94+At
h8J8P6/zPm7g8U5yi4iX149xZ1oxxMAIL5NlA/Uy6fGc+EzsM/YlVCwg6xgXklIe
KcrAx6dLw6lOVtk77K6IKJIkzwOthbja9KSdTqufi84YKGIJWPqdPKproV5V5WkX
31lTRxtgxFJ1/X1rSfq0oqtF8MGBR77fcIgWakmWRhHKsw942tRzC+ISeN1FhRSd
6dQd/uUgpw341HC+/RfPVm4xWKlRpvR6sVk5OUz33o8uGjdirKS2nlDZ+BZQJ22m
V0qGR3cuTvQCo7137DWlhX3lL4edNifNNBKmoi3Ggi9SQDad5rsnV9Zuw8sZan+M
zpji7ZO7iXshlTOYfu7IS+SbyOFW2xkSw8o7BNqYfKtEx7fmNOJkyJk9WbisDHFV
izieeet2n3F00vBk649se7XeITczsmPr3vWYUaElMFl7txUvY9T99p7JX0EJ53ei
IYwxvMchkgwqbMsl81G4KO5Q9iIlmgN+3AOPKxQ5erVq+hRol2vkM98wWCWvSWY+
WrV2F6yOUiT2+7BL8KayAqruTWnpEGzVvMoJK6ohOlBI00Fe6PSJAjMEAQEKAB0W
IQRh5LnAYkxORlwAByBs2IF8cn46pwUCWyAlUwAKCRBs2IF8cn46pwhtD/wOwJHl
A830pkYZ/n9P304UR92epSM8mhQHOhslfT95cfW6kv7JfvcV6W1/hseBvUzm4wpX
vi8j0gFogVyFODWcNEFLe/qU3cSjrw/t9Pny6huUTkX9Kg9n/xuY4EFTqhLB1nNJ
/WwadhDM7VbK+XS3Y3tlp9u6uKkugQOELwjpZV2D/jOlvyAbwaaQU5aI7kXSSTBi
YtuhYKHwIqFMccL3i3UE/aRTgCevGUSa0Yf3kfh15wLPgdN6PsGg4mtQvg6A3U54
B+anJYrJjgMLmdhPiZK5cRRSgESMvA38HUvKnEYaEO+o+AN1oRJP8+2q0z9g8UGP
8F9mmqrlpfbCA5xNxPWN2Vo4+QV8tzC0e9GOabPbSdeTkD4jCoMAfY/Rpj8gDYBb
+bUJh5SLhDfwzSAnXQeiSPZ3y3zbx8yqYa+Gw5gpDT07KMHxKU1u57AbNH6OJIW7
nQLm+9Pt6k+EXfL0NvLGrcdq/xIqO2a9UbbkcmNXDqd4T6PloGUkBonONQRctJE/
LvfkmfInaMXXwl22m8tJkWcUEHUGHo2yffnHwk3m17nWttZiET8DkEEZwlmzDYk8
CvgTWIHHlkY3JnPmhDlPYG4Ke1QG1Z1XT1iaPL8tQ0aADiyQAKl+EvWuzkWYbVbC
6Y4fmSYV6jK0i37kQcdOXwjy357LbxD2A/8Lig==
=TYR1
-----END PGP SIGNATURE-----