[SATLUG] GPG Encryption Sub-Key Expired? Create a new one! But carefully... ; )

David Kowis dkowis at shlrm.org
Fri Oct 1 15:05:09 CDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/1/2010 9:36 AM, Tweeks wrote:
> If you were a apart of our original GPG keysigning party back in September of 
> 2005, then it's very possible (if you created a 5yr ElGamal encryption key) 
> that your encrypting key has just recently expired.
> 
> If this is the case, then you're in a very sensitive place right now.  If you 
> created your signing and encryption keys like we told you (a unlimited 1024 
> DSA signing key, and a 5yr 2048 or 4096bit ElGamal signing key), then all you 
> need do is create a new ElGamal encryption subkey (sub to your signing key).
> 
> To do this.. just follow the directions here:
> https://wiki.slugbug.org.uk/GPG#Generating_a_new_encryption_sub-key
> 
> And I think I'm going to recommend that the next meeting be another 
> key-signing party.. both for new folks who want to create and start using GPG 
> key pairs, or just for those who may have messed up and need to start over.
> 
> NOTE: If your encryption key HAVE expired.. don't just go and create a whole 
> new set of signing and encrypting keys with some GUI.  In doing so you would 
> lose all those great signatures you've built up!  If you just follow the 
> command line directions outlined in that URL, then you'll be able to safely 
> add a new sub-encryption key and be good to go.  If your master DSA signing 
> key expired.. then you may be hosed (I don't know of a way to re-up an 
> expired key).
> 
> Any other related thoughts or feedback?

When I did the research on this, what you've said is true. You should
keep your signing key with no expiration date, but have the crypto key
expire yearly. It's relatively easy to generate a new crypto sub-key, so
that you can still decrypt old things, but it'll use the new crypto
subkey to encrypt new emails. I've found it's easiest to have my crypto
key expire on my birthday, that way I always get a new crypto key on my
birthday :D

David
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQGcBAEBAgAGBQJMpj71AAoJEMnf+vRw63ObypYMAIRkgMgx6KQsGeX8y9DIj2JF
sBSxNVGNJQ7J9PVhis6QC0radpnVe0q9VzPU+J5ekBB7NjQcPKKZJg1EExXWEc/X
+BPVJTFjbWFfuuE+E4hQQEN01xvBp30Zkln/gEjwufgyAMwl7fPinWwgTNs8ahQX
sgdeNq+8mwmgQzqeKQrRY+RU6CcWZF91mp969XqUvSHTFReykcrk1W+6rtwfOfmC
qCbWwL3w3A+9IsVyRX1G4SJss3/RBKPWP/tgCBnziT2DaNpqgd5PqsExefp50avk
mouNmJKsoOYQOKqW9h0c93mIA0CCmbysK+OisPN0cjBZhM1pP/+PFcMlyhXyUptM
giKga6iNofq+hlAZqmhFmHCVl3UGvpwXaXIWY9kN7UyOOyKPVqaJGIJSa0657F80
DjNuJJskIFBVc8lTJ1rELfFxepNisD8gQAcowdQ08OGF8xQBESMzH7hW8GZIgCYN
iAUGwQBdy74NmJW8OGcms4aP6x1RrRAwCfooZeKzSw==
=kCYb
-----END PGP SIGNATURE-----


More information about the SATLUG mailing list