Test your PGP key for potential problems

As advances in cryptography and technology move forward there is a chance that your once secure system may suddenly be relying on outdated (and perhaps now broken) algorithms or implementations. Some good examples of this in recent memory are the breaking of the MD5 hash algorithm and the constant problems plaguing the RC4 encryption cipher.

When it comes to PGP it is well known that short keys, keys generated without good entropy to pull from or keys using outdated implementations and algorithms can be far less secure than you would hope they would be. How can you tell if your key is impacted by one of these potential problems? Thankfully someone has put together a neat tool that checks your key for you.

Start by installing it with

sudo apt-get install hopenpgp-tools

or download the source from here. Then simply run it against your key and have it highlight any concerns for you. For example running it against my current key I would issue the following command:

hkt export-pubkeys '0x8AA0A0CEFEEEFA8F' | hokey lint

For my key in particular it prints out the following results:

hkt

All good… except for that darn Self-sig hash algorithm!

As you can see my key is mostly perfect although its self-signed signature is only using SHA1 which could be better. However because this is not an immediate security threat it is something that I will correct when generating my next key when this one expires in 2018. Hopefully your key is problem free!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>