GPG === As many tutorials point out it is better to keep the master key stored in an offline computer and to export subkeys when needed. In this tutorial we use - ``a@b.com`` as the email that identifies the key - ``0123ABCD`` as the fingerprint of the public signing subkey Renew expiration date of private keys ------------------------------------- .. seealso:: - _`Extending expiration date - GnuPG - ArchWiki` [#f1]_ - _`gnupg - Is it possible to export a GPG subkey's public component? - Information Security Stack Exchange` [#f2]_ Renew and export to file ```````````````````````` +--------------+--------------------+ | Run as user | Instruction number | +--------------+--------------------+ | ``myuser`` | \* | +--------------+--------------------+ #. get the keys. You can use the email as identifier (we are interested in the ``uid`` which in this case is ``a@b.com``) .. code-block:: shell-session gpg --list-keys #. edit the keys. You can, for example, extend the master subkey for another 2 years while the signing (``S``), certification (``C``) and encryption (``E``) subkeys can be extended by 1 year. You will get an interactive interface after running the first command .. code-block:: shell-session gpg --edit-key a@b.com key expire 730 key 1 expire 365 key 1 key 2 expire 365 key 2 key 3 expire 365 key 3 save exit #. if you only use a _`subkey you can export it like this`. .. code-block:: shell-session gpg --export --armor --output 0123ABCD.subkey.txt 0123ABCD! .. important:: Preserve the ``!`` at the end of the command. A signing subkey is useful, for example, to sign GIT commits. .. note:: There is no need to update the backups or re-export the secret key. Import `````` +--------------+--------------------+ | Run as user | Instruction number | +--------------+--------------------+ | ``myuser`` | \* | +--------------+--------------------+ #. on your other devices you can simply import the subkey like this .. code-block:: shell-session gpg --import 0123ABCD.subkey.txt Add email --------- +--------------+--------------------+ | Run as user | Instruction number | +--------------+--------------------+ | ``myuser`` | \* | +--------------+--------------------+ #. edit the key: create a new email and set ultimate trust .. code-block:: shell-session gpg --edit-key a@b.com adduid # follow the instructions 2 # the id of the new email (usually 2 if you had only one email before) primary # set the new email as primary trust 5 # set ultimate trust for the new email save exit #. :ref:`re-export ` and share you public key(s) .. note:: There is no need to update the backups or re-export the secret key. Troubleshooting --------------- Problem with the agent `````````````````````` .. seealso:: - _`18.04 - gpg: problem with the agent: Permission denied - Ask Ubuntu` [#f3]_ If you get ``gpg: problem with the agent: Permission denied`` while signing append ``pinentry-mode loopback`` to ``~/.gnupg/gpg.conf`` .. rubric:: Footnotes .. [#f1] https://wiki.archlinux.org/title/GnuPG#Extending_expiration_date GNU Free Documentation License 1.3 or later, Copyright (c) ArchWiki contributors .. [#f2] https://security.stackexchange.com/a/226986 CC BY-SA 4.0, Copyright (c) 2020 qrtLs (at security.stackexchange.com) .. [#f3] https://askubuntu.com/a/1158297 CC BY-SA 4.0, Copyright (c) 2021 Deathgrip (at askubuntu.com)