[SATLUG] GPG Encryption Sub-Key Expired? Create a new one! But carefully... ; )

David Kowis dkowis at shlrm.org
Fri Oct 1 15:05:09 CDT 2010

Hash: SHA1

On 10/1/2010 9:36 AM, Tweeks wrote:
> If you were a apart of our original GPG keysigning party back in September of 
> 2005, then it's very possible (if you created a 5yr ElGamal encryption key) 
> that your encrypting key has just recently expired.
> If this is the case, then you're in a very sensitive place right now.  If you 
> created your signing and encryption keys like we told you (a unlimited 1024 
> DSA signing key, and a 5yr 2048 or 4096bit ElGamal signing key), then all you 
> need do is create a new ElGamal encryption subkey (sub to your signing key).
> To do this.. just follow the directions here:
> https://wiki.slugbug.org.uk/GPG#Generating_a_new_encryption_sub-key
> And I think I'm going to recommend that the next meeting be another 
> key-signing party.. both for new folks who want to create and start using GPG 
> key pairs, or just for those who may have messed up and need to start over.
> NOTE: If your encryption key HAVE expired.. don't just go and create a whole 
> new set of signing and encrypting keys with some GUI.  In doing so you would 
> lose all those great signatures you've built up!  If you just follow the 
> command line directions outlined in that URL, then you'll be able to safely 
> add a new sub-encryption key and be good to go.  If your master DSA signing 
> key expired.. then you may be hosed (I don't know of a way to re-up an 
> expired key).
> Any other related thoughts or feedback?

When I did the research on this, what you've said is true. You should
keep your signing key with no expiration date, but have the crypto key
expire yearly. It's relatively easy to generate a new crypto sub-key, so
that you can still decrypt old things, but it'll use the new crypto
subkey to encrypt new emails. I've found it's easiest to have my crypto
key expire on my birthday, that way I always get a new crypto key on my
birthday :D

Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the SATLUG mailing list