I just updated my GnuPG encryption by generating a new key-pair from scratch. Contrary to the last time I took care in keeping my main key private and explicitly using subkeys to be used for signing and decrypting. Even though a common practice has been established, it is quite a challenge to understand the different options and the way in which different configurations might be better or worse. I took some advice by looking at the GNU Privacy Handbook, a recent post by Stephen Josefsson, A Riseup article on best practices, a list of instructions on strictly working with a live OS, and an outdated manual for keysigning parties. Strictly signing offline feels like a hassle, but I’m sure I will get by.
One of the intended improvements I wasn’t able to work out, was using different passwords for my subkeys. I found an email on the GnuPG user mailinglist, but these instructions didn’t make it happen. This therefore remains to be worked out. The article of Stephen Josefsson also triggered some thoughts on more advanced configurations, by using a picture and refraining from using 64-bit based key-sizes. So there are still some ways of improving the quality of the configuration, although at the very least this change was a step in the right direction.