Posted over 9 years ago. Visible to the public.

What to do when your GPG/PGP key expires

Your GPG client notified you that your keypair will soon expire, or has already expired. Here is what to do.

Are you using Thunderbird?

If you're using the built-in GPG encryption in Thunderbird 78+, you can extend your key from the Thunderbird key manager.

Suggested way: Extend your key expiry Archive

  1. Find the ID of the expiring key, e.g. with gpg --list-secret-keys. Note your key ID (after the slash).
  2. Start editing the key with gpg --edit-key KEY_ID
  3. View your selected key and subkeys with list
  4. Select the primary key with key 0
  5. Interactively select a new expiry with expire. You'll probably have to unlock your key with its passphrase.
  6. Select the primary subkey with key 1 and repeat step 5.
  7. Inspect the resulting expiries with list.
  8. Issue a save when you're done.
  9. Publish your updated key (as described previously), e.g. gpg --keyserver --send-keys KEY_ID
  10. commit your key as fallback to (see here)

Note that the private key can never expire. In the GPG shell, you can type help for an overview of available commands.

Alternative (discouraged): Creating a new key

  • Create a new key as described in this card and export it.
  • Test your new key by sending an encrypted message to yourself.
  • Replace your public key in our public GPG/PGP keys.

We recommend you extend your existing key instead.

Whether or not to delete your old key

In your own GPG setup you may choose to delete your expired key. You don't need to do this, and you won't be able to open old e-mail that was encrypted with your expired key.

If you want to get rid of your old key:

  • Find your key ID with gpg --list-keys and then use gpg --delete-secret-and-public-keys KEY_ID.
  • Alternatively, in Thunderbird, go to menu "Enigmail" → "Key management", right-click the expired key and choose "Delete key".

Update the key on another machine

In case you use the same public key on multiple machines, you need to update these keys, too. We have a separate card on how to do this.

Check the expiry date of a GPG key without importing it

gpg pub rsa2048 2015-04-13 [SC] [expires: 2022-03-25] 7D328E3BD331444A254828F82ADEW7A971B89A2B6 uid Your Name <> sub rsa2048 2015-04-13 [E] [expires: 2022-03-25]

Send the key to ops

Please export and send your public key to so they can update See this card for how to do it

Does your version of Ruby on Rails still receive security updates?
Rails LTS provides security patches for unsupported versions of Ruby on Rails (2.3, 3.2, 4.2 and 5.2).

Owner of this card:

Henning Koch
Last edit:
5 days ago
by Florian Heinle
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by Henning Koch to makandra orga
This website uses short-lived cookies to improve usability.
Accept or learn more