Your GPG client notified you that your keypair will soon expire, or has already expired. Here is what to do.
Are you using Thunderbird?
If you're using the built-in GPG encryption in Thunderbird 78+, you can extend your key from the Thunderbird key manager.
Suggested way: Extend your key expiry Show archive.org snapshot
- Find the ID of the expiring key, e.g. with
gpg --list-secret-keys
. Note your key ID (after the slash). - Start editing the key with
gpg --edit-key KEY_ID
- View your selected key and subkeys with
list
- Select the primary key with
key 0
- Interactively select a new expiry with
expire
. You'll probably have to unlock your key with its passphrase. - Select the primary subkey with
key 1
and repeat step 5. - Inspect the resulting expiries with
list
. - Issue a
save
when you're done. - Publish your updated key (as described previously), e.g.
gpg --keyserver keyserver.ubuntu.com --send-keys KEY_ID
- commit your key as fallback to keys.makandra.de (see here: GPG Public Keys veröffentlichen)
Note that the private key can never expire. In the GPG shell, you can type help
for an overview of available commands.
Alternative (discouraged): Creating a new key
- Create a new key as described in this card and export it.
- Test your new key by sending an encrypted message to yourself.
- Replace your public key in our public GPG/PGP keys.
We recommend you extend your existing key instead.
Whether or not to delete your old key
In your own GPG setup you may choose to delete your expired key. You don't need to do this, and you won't be able to open old e-mail that was encrypted with your expired key.
If you want to get rid of your old key:
- Find your key ID with
gpg --list-keys
and then usegpg --delete-secret-and-public-keys KEY_ID
. - Alternatively, in Thunderbird, go to menu "Enigmail" → "Key management", right-click the expired key and choose "Delete key".
Update the key on another machine
In case you use the same public key on multiple machines, you need to update these keys, too. We have a separate card on how to do this.
Check the expiry date of a GPG key without importing it
gpg your.name.asc
pub rsa2048 2015-04-13 [SC] [expires: 2022-03-25]
7D328E3BD331444A254828F82ADEW7A971B89A2B6
uid Your Name <your.name@makandra.de>
sub rsa2048 2015-04-13 [E] [expires: 2022-03-25]
Send the key to ops
Please export and send your public key to ops@makandra.de so they can update keys.makandra.de. See this card for how to do it