What to do when your GPG/PGP key expires

Updated . Posted . Visible to the public.

Your GPG client notified you that your keypair will soon expire, or has already expired. Here is what to do.

Are you using Thunderbird?

If you're using the built-in GPG encryption in Thunderbird 78+, you can extend your key from the Thunderbird key manager.

Suggested way: Extend your key expiry Show archive.org snapshot

  1. Find the ID of the expiring key, e.g. with gpg --list-secret-keys. Note your key ID (after the slash).
  2. Start editing the key with gpg --edit-key KEY_ID
  3. View your selected key and subkeys with list
  4. Select the primary key with key 0
  5. Interactively select a new expiry with expire. You'll probably have to unlock your key with its passphrase.
  6. Select the primary subkey with key 1 and repeat step 5.
  7. Inspect the resulting expiries with list.
  8. Issue a save when you're done.
  9. Publish your updated key (as described previously), e.g. gpg --keyserver keyserver.ubuntu.com --send-keys KEY_ID
  10. commit your key as fallback to keys.makandra.de (see here: GPG Public Keys veröffentlichen)

Note that the private key can never expire. In the GPG shell, you can type help for an overview of available commands.

Alternative (discouraged): Creating a new key

  • Create a new key as described in this card and export it.
  • Test your new key by sending an encrypted message to yourself.
  • Replace your public key in our public GPG/PGP keys.

We recommend you extend your existing key instead.

Whether or not to delete your old key

In your own GPG setup you may choose to delete your expired key. You don't need to do this, and you won't be able to open old e-mail that was encrypted with your expired key.

If you want to get rid of your old key:

  • Find your key ID with gpg --list-keys and then use gpg --delete-secret-and-public-keys KEY_ID.
  • Alternatively, in Thunderbird, go to menu "Enigmail" → "Key management", right-click the expired key and choose "Delete key".

Update the key on another machine

In case you use the same public key on multiple machines, you need to update these keys, too. We have a separate card on how to do this.

Check the expiry date of a GPG key without importing it

gpg your.name.asc

pub   rsa2048 2015-04-13 [SC] [expires: 2022-03-25]
      7D328E3BD331444A254828F82ADEW7A971B89A2B6
uid           Your Name <your.name@makandra.de>
sub   rsa2048 2015-04-13 [E] [expires: 2022-03-25]

Send the key to ops

Please export and send your public key to ops@makandra.de so they can update keys.makandra.de. See this card for how to do it

Henning Koch
Last edit
Rebecca
License
Source code in this card is licensed under the MIT License.
Posted by Henning Koch to makandra orga (2013-01-11 10:26)