How to renew a GPG key
— Albert De La Fuente VigliottiTable of Contents
How to renew a GPG key #
How to renew the main key #
gpg2 --list-secret-keys
gpg2 --edit-key 0x536814BF4871A220
gpg> expire
10w
gpg> saveHow to renew the subkey #
Since I have subkeys I need to also renew the subkey as follows:
gpg2 --list-secret-keys
gpg2 --edit-key 0x536814BF4871A220
gpg> key 0xE2977BF3F82AB971
gpg> expire
10w
gpg> saveRenew the main key in an unattended way #
The automated way to renew the main key is as follows
printf "expire\n10w\nsave\n" | gpg --batch --pinentry-mode loopback \
--passphrase-fd 3 --command-fd 0 --status-fd=2 \
--edit-key vonpupp@keybase.io 3<passphrase.txt
rm passphrase.txtTODO NEEDS TESTING: Renew the subkey in an unattended way #
printf "key 0xE2977BF3F82AB971\nexpire\n10w\nsave\n" | gpg --batch --pinentry-mode loopback \
--passphrase-fd 3 --command-fd 0 --status-fd=2 \
--edit-key vonpupp@keybase.io 3<passphrase.txt
rm passphrase.txtRead more #
gnupg - Extend the expiration date of a GPG key non-interactively - Super User #
- Source: https://superuser.com/questions/1478615/extend-the-expiration-date-of-a-gpg-key-non-interactively
- Title: gnupg - Extend the expiration date of a GPG key non-interactively - Super User
- Captured on:
TODO Create new stronger key with a transition statement according to: OpenPGP Best Practices - riseup.net #
- Source: https://riseup.net/ru/security/message-security/openpgp/gpg-best-practices#key-configuration
- Title: OpenPGP Best Practices - riseup.net
It is recommend to make a 3072-bit RSA key, with the sha512 hashing algo, making a transition statement that is signed by both keys, and then letting people know. Also have a look at this good document that details exactly the steps that you need to create such a key, making sure that you are getting the right hashing algo (it can be slightly complicated if you are using GnuPG versions less than 1.4.10).