Posted over 8 years ago. Visible to the public.

What to do when your GPG/PGP key expires

Your GPG client notified you that your keypair will soon expire, or has already expired. Here is what to do.

Suggested way: Extend your key expiry Archive

  1. Find the ID of the expiring key, e.g. with gpg --list-keys. Note your key ID (after the slash).
  2. Start editing the key with gpg --edit-key KEY_ID
  3. View your selected key and subkeys with list
  4. Select the primary key with key 0
  5. Interactively select a new expiry with expire. You'll probably have to unlock your key with its passphrase.
  6. Select the primary subkey with key 1 and repeat step 5.
  7. Inspect the resulting expiries with list.
  8. Issue a save when you're done.
  9. Publish your updated key (as described previously), e.g. gpg --keyserver keyserver.ubuntu.com --send-keys KEY_ID
  10. commit your key as fallback to keys.makandra.de (see here)

Note that the private key can never expire. In the GPG shell, you can type help for an overview of available commands.

Alternative (discouraged): Creating a new key

  • Create a new key as described in this card and export it.
  • Test your new key by sending an encrypted message to yourself.
  • Replace your public key in our public GPG/PGP keys.

We recommend you extend your existing key instead.

Whether or not to delete your old key

In your own GPG setup you may choose to delete your expired key. You don't need to do this, and you won't be able to open old e-mail that was encrypted with your expired key.

If you want to get rid of your old key:

  • Find your key ID with gpg --list-keys and then use gpg --delete-secret-and-public-keys KEY_ID.
  • Alternatively, in Thunderbird, go to menu "Enigmail" → "Key management", right-click the expired key and choose "Delete key".

Update the key on another machine

In case you use the same public key on multiple machines, you need to update these keys, too. We have a separate card on how to do this.

Check the expiry date of a GPG key without importing it

Copy
gpg your.name.asc pub rsa2048 2015-04-13 [SC] [expires: 2022-03-25] 7D328E3BD331444A254828F82ADEW7A971B89A2B6 uid Your Name <your.name@makandra.de> sub rsa2048 2015-04-13 [E] [expires: 2022-03-25]

Owner of this card:

Avatar
Henning Koch
Last edit:
5 months ago
by Dominik Schöler
Posted by Henning Koch to makandra orga
This website uses short-lived cookies to improve usability.
Accept or learn more