Michael Altfield's gravatar

New GPG Key

I went to send an email the other day and I was halted when I discovered that my key had expired. I can’t believe that I’ve been using GPG for 6 months, but the time had come to generate a new keypair.

This post outlines the process to gererate a new keypair once your old keypair has expired.

The following command will show you your private/secret keys.

$ gpg --list-secret-keys
sec   1024D/0884BC5C 2008-07-23 [expires: 2009-01-19]
uid                  Michael Altfield 
ssb   2048g/EC0F0721 2008-07-23

You can see from the above output that my key (with the ID of: 0884BC5C) expired on January 19th, 2009.

—-
EDIT:

It was brought to my attention (thank you Victor Escudero) that, unless under rare circumstances, you should not create a new key when your old key expires. Instead, you should simply extend the life of your current key as follows:

$ gpg --edit-key 0884BC5C
gpg (GnuPG) 2.0.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  1024D/68C40535  created: 2009-01-21  expires: 2009-07-20  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048g/9040F433  created: 2009-01-21  expires: 2009-07-20  usage: E   
[ultimate] (1). Michael Altfield 

Command> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
        = key expires in n days
      w = key expires in n weeks
      m = key expires in n months
      y = key expires in n years
Key is valid for? (0) 1y
Key expires at Sun 20 Jun 2010 10:28:12 AM EDT
Is this correct? (y/N) y

You need a passphrase to unlock the secret key for
user: "Michael Altfield "
1024-bit DSA key, ID 68C40535, created 2009-01-21

can't connect to `/home/guttersnipe/.gnupg/S.gpg-agent': No such file or directory
gpg: Invalid passphrase; please try again ...

You need a passphrase to unlock the secret key for
user: "Michael Altfield "
1024-bit DSA key, ID 68C40535, created 2009-01-21


pub  1024D/68C40535  created: 2009-01-21  expires: 2010-06-20  usage: SC  
                     trust: ultimate      validity: ultimate
sub  2048g/9040F433  created: 2009-01-21  expires: 2009-07-20  usage: E   
[ultimate] (1). Michael Altfield 

Command> save
Save changes? (y/N) y
$


—-

Issue the following command to re-generate a new keypair

$ gpg --gen-key

When you finish, re-run the `gpg –list-secret-keys` command to see the change.

sec   1024D/0884BC5C 2008-07-23 [expires: 2009-01-19]
uid                  Michael Altfield 
ssb   2048g/EC0F0721 2008-07-23

sec   1024D/68C40535 2009-01-21 [expires: 2009-07-20]
uid                  Michael Altfield 
ssb   2048g/9040F433 2009-01-21

The new key appears. Note the new key’s ID (here it’s 68C40535).

Of course, every GPG user should store their keys and a revocation certificate in a safe place. Run the following commands to generate these files.

Note: replace 68C40535 with your new key ID (as determined above).

gpg -a --output pubkey.asc --export 68C40535
gpg -a --output prikey.asc --export-secret-key 68C40535
gpg --output revoke.asc --gen-revoke 68C40535

Now, store these files on some cheap, portable media (CD/thumbdrive/SD card/etc), and hide it away somewhere safe. Once this has been done, be sure to shred (not just delete) your private key and revocation certificate; you don’t want anyone to get their hands on these files.

shred -u prikey.asc
shred -u revoke.asc

Now, send your new public key out to all your friends! My new public key is available to download from my webserver.

1 comment to New GPG Key

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>