GPG

As many tutorials point out it is better to keep the master key stored in an offline computer and to export subkeys when needed.

In this tutorial we use

• a@b.com as the email that identifies the key

• 0123ABCD as the fingerprint of the public signing subkey

Renew expiration date of private keys

Vedi anche

• Extending expiration date - GnuPG - ArchWiki 1

• gnupg - Is it possible to export a GPG subkey’s public component? - Information Security Stack Exchange 2

Renew and export to file

1. get the keys. You can use the email as identifier (we are interested in the uid which in this case is a@b.com)

   gpg --list-keys
   

2. edit the keys. You can, for example, extend the master subkey for another 2 years while the signing (S), certification (C) and encryption (E) subkeys can be extended by 1 year. You will get an interactive interface after running the first command

   gpg --edit-key a@b.com
   
   key
   expire
   730
   
   key 1
   expire
   365
   key 1
   
   key 2
   expire
   365
   key 2
   
   key 3
   expire
   365
   key 3
   
   save
   
   exit
   

3. if you only use a subkey you can export it like this.

   gpg --export --armor --output 0123ABCD.subkey.txt 0123ABCD!
   

   Importante

   Preserve the ! at the end of the command.

   A signing subkey is useful, for example, to sign GIT commits.

Nota

There is no need to update the backups or re-export the secret key.

Import

1. on your other devices you can simply import the subkey like this

   gpg --import 0123ABCD.subkey.txt
   

Add email

1. edit the key: create a new email and set ultimate trust

   gpg --edit-key a@b.com
   
   adduid
   
             # follow the instructions
   
   2         # the id of the new email (usually 2 if you had only one email before)
   
   primary   # set the new email as primary
   
   trust
   5         # set ultimate trust for the new email
   
   save
   exit
   

2. re-export and share you public key(s)

Nota

There is no need to update the backups or re-export the secret key.

Troubleshooting

Problem with the agent

If you get gpg: problem with the agent: Permission denied while signing append pinentry-mode loopback to ~/.gnupg/gpg.conf

Vedi anche

• 18.04 - gpg: problem with the agent: Permission denied - Ask Ubuntu 3

Footnotes

1

https://wiki.archlinux.org/title/GnuPG#Extending_expiration_date GNU Free Documentation License 1.3 or later, Copyright (c) ArchWiki contributors

2

https://security.stackexchange.com/a/226986 CC BY-SA 4.0, Copyright (c) 2020 qrtLs (at security.stackexchange.com)

3

https://askubuntu.com/a/1158297 CC BY-SA 4.0, Copyright (c) 2021 Deathgrip (at askubuntu.com)