summaryrefslogtreecommitdiff
path: root/debian/Upgrading_From_PGP.txt
diff options
context:
space:
mode:
Diffstat (limited to 'debian/Upgrading_From_PGP.txt')
-rw-r--r--debian/Upgrading_From_PGP.txt76
1 files changed, 76 insertions, 0 deletions
diff --git a/debian/Upgrading_From_PGP.txt b/debian/Upgrading_From_PGP.txt
new file mode 100644
index 0000000..bce0559
--- /dev/null
+++ b/debian/Upgrading_From_PGP.txt
@@ -0,0 +1,76 @@
+For a long time I have wanted to switch from using PGP 2.x to using GPG
+(because it's Free). But I didn't want to give up my trusty PGP key,
+which has a long history and has gathered a lot of signatures that
+I would have trouble getting again.
+
+Now that the RSA patent has expired, GPG comes with RSA support
+by default. This means that it's actually possible to convert
+your PGP key to a GPG key, and use it normally with GPG. You
+will not need gpg-idea or any other non-free component.
+
+The steps are quite easy. I wrote them down here, because I expect
+that a number of Debian maintainers are in the same situation
+and can benefit from this advice.
+
+Note that the GPG FAQ contains a section about the same thing,
+but it's aimed at maintaining compatibility with PGP 2.x.
+The procedure I describe here is designed solely to switch
+to GPG without giving up your PGP key. It will not let you
+exchange encrypted mail with someone who still uses (only) PGP 2.x.
+But if you ever need to do that, you can pull out your old copy
+of PGP for that -- it's the same key!
+
+Here are the steps:
+
+ 0. Make sure your version of GPG supports RSA. You should be
+ okay if you have GPG 1.0.3 or newer. I used GPG 1.0.4 myself.
+
+ 1. Back up your .pgp directory, and your .gnupg directory (if any).
+ Note: I started with an empty .gnupg directory for this.
+ If you already have a GPG ring with a set of keys, you'll
+ end up having two keys with probably the same userids.
+ That won't break anything, but it can be confusing and it
+ is easy to accidentally use the wrong key.
+
+ 2. Remove the passphrase from your PGP secret key. This is necessary
+ because the secret key is protected using the IDEA algorithm, and
+ IDEA is still patented so GPG does not support it.
+ Command:
+ pgp -ke userid
+ where userid is what you use to access your key, usually your name
+ or email address. Just hit Enter when PGP asks for the new
+ passphrase.
+
+ 3. Import your secret and public keys into GPG.
+ Command:
+ gpg --import $HOME/.pgp/secring.pgp $HOME/.pgp/pubring.pgp
+ There doesn't seem to be a way to tell GPG to import only selected
+ keys from those files, so you may want to first use PGP to export
+ your keys to a small keyring. (Do not use ASCII armor for that.)
+ I simply imported all the keys, because I wanted to convert to using
+ GPG for everything.
+
+ 4. Re-protect your secret key with a passphrase.
+ You removed the passphrase in step 2, you can now put it back.
+ Command:
+ gpg --edit-key userid
+ GPG will tell you what key you accessed and prompt you to do
+ something with it. Tell it "passwd" to change the passphrase.
+
+ 5. Check if everything worked. Sign and encrypt a small file,
+ mail it to a friend, see if you can decrypt something mailed
+ to you, upload a Debian package, that sort of thing.
+
+ 6. Clean up the backups. Remember, you un-protected your PGP key.
+ It's still not protected, and it's the same key you are now using
+ with GPG. Make sure no one can get at it. You can restore
+ the backup, or run pgp -ke again, or -- if you don't plan to ever
+ use PGP again -- delete the key. There is a program in fileutils
+ called "shred" which may help with this.
+
+Well, I hope this helps someone. I wrote this down after exactly one
+experience with converting keys -- I'd love to have feedback from
+someone else who tried it.
+
+Richard Braakman
+with tips from Adam Rogoyski, Marco d'Itri, and Andrew Pimlott.