I went to send an email the other day and I was halted when I discovered that my key had expired. I can’t believe that I’ve been using GPG for 6 months, but the time had come to generate a new keypair.
This post outlines the process to gererate a new keypair once your old keypair has expired.
The following command will show you your private/secret keys.
$ gpg --list-secret-keys sec 1024D/0884BC5C 2008-07-23 [expires: 2009-01-19] uid Michael Altfield ssb 2048g/EC0F0721 2008-07-23
You can see from the above output that my key (with the ID of: 0884BC5C) expired on January 19th, 2009.
—-
EDIT:
It was brought to my attention (thank you Victor Escudero) that, unless under rare circumstances, you should not create a new key when your old key expires. Instead, you should simply extend the life of your current key as follows:
$ gpg --edit-key 0884BC5C
gpg (GnuPG) 2.0.9; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 1024D/68C40535 created: 2009-01-21 expires: 2009-07-20 usage: SC
trust: ultimate validity: ultimate
sub 2048g/9040F433 created: 2009-01-21 expires: 2009-07-20 usage: E
[ultimate] (1). Michael Altfield
Command> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Sun 20 Jun 2010 10:28:12 AM EDT
Is this correct? (y/N) y
You need a passphrase to unlock the secret key for
user: "Michael Altfield "
1024-bit DSA key, ID 68C40535, created 2009-01-21
can't connect to `/home/guttersnipe/.gnupg/S.gpg-agent': No such file or directory
gpg: Invalid passphrase; please try again ...
You need a passphrase to unlock the secret key for
user: "Michael Altfield "
1024-bit DSA key, ID 68C40535, created 2009-01-21
pub 1024D/68C40535 created: 2009-01-21 expires: 2010-06-20 usage: SC
trust: ultimate validity: ultimate
sub 2048g/9040F433 created: 2009-01-21 expires: 2009-07-20 usage: E
[ultimate] (1). Michael Altfield
Command> save
Save changes? (y/N) y
$
—-
Issue the following command to re-generate a new keypair
$ gpg --gen-key
When you finish, re-run the `gpg –list-secret-keys` command to see the change.
sec 1024D/0884BC5C 2008-07-23 [expires: 2009-01-19] uid Michael Altfield ssb 2048g/EC0F0721 2008-07-23 sec 1024D/68C40535 2009-01-21 [expires: 2009-07-20] uid Michael Altfield ssb 2048g/9040F433 2009-01-21
The new key appears. Note the new key’s ID (here it’s 68C40535).
Of course, every GPG user should store their keys and a revocation certificate in a safe place. Run the following commands to generate these files.
Note: replace 68C40535 with your new key ID (as determined above).
gpg -a --output pubkey.asc --export 68C40535 gpg -a --output prikey.asc --export-secret-key 68C40535 gpg --output revoke.asc --gen-revoke 68C40535
Now, store these files on some cheap, portable media (CD/thumbdrive/SD card/etc), and hide it away somewhere safe. Once this has been done, be sure to shred (not just delete) your private key and revocation certificate; you don’t want anyone to get their hands on these files.
shred -u prikey.asc shred -u revoke.asc
Now, send your new public key out to all your friends! My new public key is available to download from my webserver.
Related Posts
Hi, I’m Michael Altfield. I write articles about opsec, privacy, and devops ➡
[…] New GPG Key […]