How to renew an expired keypair with gpg

What is the best way to renew a gpg key pair when it got expired and what is the reason for the method?

The key pair is already signed by many users and available on public servers.

  • Should the new key be a subkey of the expired private key?

  • Should it be signed by the old (I could try to edit the key and change the date of expiration to tomorrow)?

  • Should the new key sign the old?

Asked By: Jonas Stein

||

Private keys never expire. Only public keys do. Otherwise, the world would never notice the expiration as (hopefully) the world never sees the private keys.

For the important part, there is only one way, so that saves a discussion about pros and cons.

You have to extend the validity of the main key:

gpg --edit-key 0x12345678
gpg> expire
...
gpg> save

You have to make a decision about extending validity of vs. replacing the subkey(s). Replacing them gives you limited forward security (limited to rather large time frames). If that is important to you then you should have (separate) subkeys for both encryption and signing (the default is one for encryption only).

gpg --edit-key 0x12345678
gpg> key 1
gpg> expire
...
gpg> key 1
gpg> key 2
gpg> expire
...
gpg> save

You need key 1 twice for selecting and deselecting because you can extend the validity of only one key at a time.

You could also decide to extend the validity unless you have some reason to assume the key has been compromised. Not throwing the whole certificate away in case of compromise makes sense only if you have an offline main key (which IMHO is the only reasonable way to use OpenPGP anyway).

The users of your certificate have to get its updated version anyway (either for the new key signatures or for the new key(s)). Replacing makes the key a bit bigger but that is not a problem.

If you use smartcards (or plan to do so) then having more (encryption) keys creates a certain inconvenience (a card with the new key cannot decrypt old data).

Answered By: Hauke Laging

It seems you mixed up two things: replacing the old keypair with a new one, and changing expiry date.

Basically, there should be no need to create a new keypair: if you still have the old one, you can “extend” its lifetime by changing expiry date and publishing updated key. This is completely normal and expected.

The deal with expiration date is to make sure that if you loose your key (e.g. forget the passphrase – I’m not talking about the key getting compromised, in that case you’d want to revoke it immediately) it won’t keep dangling in the open forever.

Answered By: Jan WarchoĊ‚

Adding to "Hauke Linging"s answer, there is an option available from gpg 2.1.22* onward where you can extend a primary key or its non-revoked, non-expired subkeys with a single non-interactive command.

It has 3 forms (the first parameter is always the key-fingerprint, and the second is always the expiry period, eg. 8w for 8 weeks):

  • 2 parameters: extend secret key by period
  • 3 parameters where the 3rd is an asterisk (*): expire all non-revoked, non-expired subkeys of the primary secret key
  • 3 or more parameters where the 3rd onward are specific subkey fingerprints: expire the specified subkeys of the primary secret key

Example for the *-form:

gpg --quick-set-expire <1> <2> <3>

meaning:

<1> fingerprint of your key (from gpg --list-secret-keys)
<2> how long you would like to extend the expiration period
<3> * is for every subkey e.g.:

gpg --quick-set-expire 7BCDED693SECRETKEY1552ACB71237 7w *

* --quick-set-expire is available for primary keys only from version 2.1.17.

Answered By: MacMartin
Categories: Answers Tags: ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.