I came back from my “cross-country bicycle trip”:http://1guy2biketrips.michaelaltfield.net to discover I could no longer send signed email because my key expired! I’ve also changed colleges from “SPSU”:http://www.spsu.edu/ to “UCF”:http://www.ucf.edu, and my old college is expiring my email address, so here’s what I need to do:
# Extend my key’s expiration another year
# Add new email address to subkey
# Save updates to key
# Export a new public key
Background Information
GPG
“GPG (GNU Privacy Guard)”:http://www.gnupg.org/ (used here) is a popular, cross-platform implementation of “OpenPGP (Pretty Good Privacy)”:http://en.wikipedia.org/wiki/Pretty_Good_Privacy defined in “RFC 4880”:http://tools.ietf.org/html/rfc4880. OpenPGP outlines a standard, open message format for maintaining the “confidentiality”:http://en.wikipedia.org/wiki/Information_security#Confidentiality and “integrity”:http://en.wikipedia.org/wiki/Information_security#Integrity of electronic messages.
Why Subkeys?
“Public Key Cryptography”:http://en.wikipedia.org/wiki/Public-key_cryptography is long, complicated, and well outside the scope of this post. However, one thing I never fully understood was the functional purpose of subkeys. Thankfully, “the GPG documentation”:http://www.gnupg.org/gph/en/manual.html is excellent.
So, there’s 2 major things I want to accomplish by using GPG with my email
# Confidentiality through encryption
# Integrity through signatures
The designers of PGP viewed the signature role as indefinitely important while the encryption role as dynamic overtime. Therefore, when we first generate a keypair, 2 keys are created: 1 primary key for signing data & 1 subkey for encrypting data. In general, the primary key should never change (many things are tied to it, such as the key’s “Authenticity”:http://en.wikipedia.org/wiki/Information_security#Authenticity and our friend’s keys Authenticity through signing each other’s public keys.) However, the encryption key could change over time, so it’s stored to a separate subkey, which is relatively easy to change & redistribute.
Each subkey has one or more UIDs–which is for each email address. In this example, I add a new UID for my new email address to my primary key’s subkey so it can be listed in my public key. My public key will be distributed on the internet and to my friends. With my new email address added to my public key, my friend’s email clients will be able to see my email address as a UID in my public key’s encryption subkey–allowing them to encrypt messages to my new email address using my new public key.
Process Explained
Extend GPG Key Expiration
First, we list all our keys, find our expired key, and determine its ID.
$ gpg --list-keys ... pub 1024D/68C40535 2009-01-21 [expires: 2010-08-29] uid Michael Altfield uid Michael Altfield sub 2048g/9040F433 2009-01-21 [expires: 2010-08-29] ...
At the time of writing (2010-09-25), both the primary key and the subkey are expired since 2010-08-29.
To edit a key, find the primary key’s ID (in this case, it’s 68C40535).
$ gpg --edit-key 68C40535
gpg (GnuPG) 2.0.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 1024D/68C40535 created: 2009-01-21 expires: 2011-09-25 usage: SC
trust: ultimate validity: ultimate
sub 2048g/9040F433 created: 2009-01-21 expires: 2010-08-29 usage: E
[ultimate] (1). Michael Altfield
[ultimate] (2) Michael Altfield
Command>
Primary Key
To extend the primary key, type @expire@ from the GPG @Command>@ prompt when editing the key. It will ask how much time (from now) until we want the key to expire again. In this example, I entered @1y@ –which evaluates to 1 year.
...
Command> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Sun 25 Sep 2011 01:22:49 PM EDT
Is this correct? (y/N) y
You need a passphrase to unlock the secret key for
user: "Michael Altfield "
1024-bit DSA key, ID 68C40535, created 2009-01-21
pub 1024D/68C40535 created: 2009-01-21 expires: 2011-09-25 usage: SC
trust: ultimate validity: ultimate
sub 2048g/9040F433 created: 2009-01-21 expires: 2010-08-29 usage: E
[ultimate] (1). Michael Altfield
[ultimate] (2) Michael Altfield
Command>
Sub Key
Now we have to extend the expiration of subkeys. I have 1 subkey. First, select the subkey using the @key@ command. In this example, I have only 1 subkey, so I typed @key 1@. If I wanted to select the second subkey (if I had one), I would type @key 2@.
...
Command> list
pub 1024D/68C40535 created: 2009-01-21 expires: 2011-09-25 usage: SC
trust: ultimate validity: ultimate
sub 2048g/9040F433 created: 2009-01-21 expires: 2010-08-29 usage: E
[ultimate] (1). Michael Altfield
[ultimate] (2) Michael Altfield
Command> key 1
pub 1024D/68C40535 created: 2009-01-21 expires: 2011-09-25 usage: SC
trust: ultimate validity: ultimate
sub* 2048g/9040F433 created: 2009-01-21 expires: 2010-08-29 usage: E
[ultimate] (1). Michael Altfield
[ultimate] (2) Michael Altfield
In the above command, I did:
# @list@ – the @list@ command is useful for printing current info about the key, which also shows which keys and/or subkeys are currently selected.
# @key 1@ – this selected the first subkey and then did a re- @list@ to show that I’ve selected subkey 1.
Note the asterisk (*) next to the first subkey that appeared after the @key 1@ command. This indicates that the subkey is currently selected.
Now that the subkey is selected, re-running @expire@ will change the expiration date of the *subkey* instead of the *primary* key.
...
Command> expire
Changing expiration time for a subkey.
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Sun 25 Sep 2011 01:39:36 PM EDT
Is this correct? (y/N) y
You need a passphrase to unlock the secret key for
user: "Michael Altfield "
1024-bit DSA key, ID 68C40535, created 2009-01-21
pub 1024D/68C40535 created: 2009-01-21 expires: 2011-09-25 usage: SC
trust: ultimate validity: ultimate
sub* 2048g/9040F433 created: 2009-01-21 expires: 2011-09-25 usage: E
[ultimate] (1). Michael Altfield
[ultimate] (2) Michael Altfield
Command>
Note: the date after @expires:@ in the printout above shows a year from today (2010-09-25): 2011-09-25.
Add Email to Subkey
I transferred out of my old university, and they’re deleting my old email account soon. Since I’m just going to use my new University’s email account instead of my old University’s email account, and since I’m going to use it for the same purposes, it makes sense to merely add my new email address to my existing key.
Note: I might not want to do this for an email address that serves a different purpose. For example, I wouldn’t want my work email to use the same key as my private email. In this case, I would want to create an entirely new key with @gpg –gen-key@.
...
Command> adduid
Real name: Michael Altfield
Email address: [personal_email]@knights.ucf.edu
Comment:
You selected this USER-ID:
"Michael Altfield "
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a passphrase to unlock the secret key for
user: "Michael Altfield "
1024-bit DSA key, ID 68C40535, created 2009-01-21
pub 1024D/68C40535 created: 2009-01-21 expires: 2011-09-25 usage: SC
trust: ultimate validity: ultimate
sub 2048g/9040F433 created: 2009-01-21 expires: 2011-09-25 usage: E
[ultimate] (1). Michael Altfield
[ultimate] (2) Michael Altfield
[unknown] (3) Michael Altfield
Command>
Note the new UID #3.
Save Key
Now that we’re done with our edits to our key, we save & quit with the @save@ command.
.... Command> save $
This saves the key, quits gpg, and returns us to the shell prompt.
Export Key
Now that we’re back to our shell prompt, we need to export an updated public key and redistribute it to all our friends.
$ gpg -a --output pubkey4.asc --export 68C40535 $ ls pubkey.asc
The resulting file pubkey.asc can be distributed to the internet & friends. My updated key is now here: “/pubkey.asc”:/pubkey.as
Related Posts
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
Leave a Reply