What to do when your GPG/PGP key expires
Your GPG client notified you that your keypair will soon expire, or has already expired. Here is what to do.
If you're using the built-in GPG encryption in Thunderbird 78+, you can extend your key from the Thunderbird key manager.
- Find the ID of the expiring key, e.g. with
gpg --list-keys. Note your key ID (after the slash).
- Start editing the key with
gpg --edit-key KEY_ID
- View your selected key and subkeys with
- Select the primary key with
- Interactively select a new expiry with
expire. You'll probably have to unlock your key with its passphrase.
- Select the primary subkey with
key 1and repeat step 5.
- Inspect the resulting expiries with
- Issue a
savewhen you're done.
- Publish your updated key (as described previously), e.g.
gpg --keyserver keyserver.ubuntu.com --send-keys KEY_ID
- commit your key as fallback to keys.makandra.de (see here)
Note that the private key can never expire. In the GPG shell, you can type
help for an overview of available commands.
- Create a new key as described in this card and export it.
- Test your new key by sending an encrypted message to yourself.
- Replace your public key in our public GPG/PGP keys.
We recommend you extend your existing key instead.
In your own GPG setup you may choose to delete your expired key. You don't need to do this, and you won't be able to open old e-mail that was encrypted with your expired key.
If you want to get rid of your old key:
- Find your key ID with
gpg --list-keysand then use
gpg --delete-secret-and-public-keys KEY_ID.
- Alternatively, in Thunderbird, go to menu "Enigmail" → "Key management", right-click the expired key and choose "Delete key".
In case you use the same public key on multiple machines, you need to update these keys, too. We have a separate card on how to do this.
gpg your.name.asc pub rsa2048 2015-04-13 [SC] [expires: 2022-03-25] 7D328E3BD331444A254828F82ADEW7A971B89A2B6 uid Your Name <firstname.lastname@example.org> sub rsa2048 2015-04-13 [E] [expires: 2022-03-25]