GPG

As many tutorials point out it is better to keep the master key stored in an offline computer and to export subkeys when needed.

In this tutorial we use

  • a@b.com as the email that identifies the key

  • 0123ABCD as the fingerprint of the public signing subkey

Renew expiration date of private keys

Vedi anche

  • Extending expiration date - GnuPG - ArchWiki 1

  • gnupg - Is it possible to export a GPG subkey’s public component? - Information Security Stack Exchange 2

Renew and export to file

Run as user

Instruction number

myuser

*

  1. get the keys. You can use the email as identifier (we are interested in the uid which in this case is a@b.com)

    gpg --list-keys
    
  2. edit the keys. You can, for example, extend the master subkey for another 2 years while the signing (S), certification (C) and encryption (E) subkeys can be extended by 1 year. You will get an interactive interface after running the first command

    gpg --edit-key a@b.com
    
    key
    expire
    730
    
    key 1
    expire
    365
    key 1
    
    key 2
    expire
    365
    key 2
    
    key 3
    expire
    365
    key 3
    
    save
    
    exit
    
  3. if you only use a subkey you can export it like this.

    gpg --export --armor --output 0123ABCD.subkey.txt 0123ABCD!
    

    Importante

    Preserve the ! at the end of the command.

    A signing subkey is useful, for example, to sign GIT commits.

Nota

There is no need to update the backups or re-export the secret key.

Import

Run as user

Instruction number

myuser

*

  1. on your other devices you can simply import the subkey like this

    gpg --import 0123ABCD.subkey.txt
    

Add email

Run as user

Instruction number

myuser

*

  1. edit the key: create a new email and set ultimate trust

    gpg --edit-key a@b.com
    
    adduid
    
              # follow the instructions
    
    2         # the id of the new email (usually 2 if you had only one email before)
    
    primary   # set the new email as primary
    
    trust
    5         # set ultimate trust for the new email
    
    save
    exit
    
  2. re-export and share you public key(s)

Nota

There is no need to update the backups or re-export the secret key.

Troubleshooting

Problem with the agent

Vedi anche

  • 18.04 - gpg: problem with the agent: Permission denied - Ask Ubuntu 3

If you get gpg: problem with the agent: Permission denied while signing append pinentry-mode loopback to ~/.gnupg/gpg.conf

Footnotes

1

https://wiki.archlinux.org/title/GnuPG#Extending_expiration_date GNU Free Documentation License 1.3 or later, Copyright (c) ArchWiki contributors

2

https://security.stackexchange.com/a/226986 CC BY-SA 4.0, Copyright (c) 2020 qrtLs (at security.stackexchange.com)

3

https://askubuntu.com/a/1158297 CC BY-SA 4.0, Copyright (c) 2021 Deathgrip (at askubuntu.com)