It is that time of year again when my gpg signing and encryption subkeys expire. I wrote about how to renew them before, but it was a long time ago and the process has gotten simpler thanks to advancements in gpg user friendliness. Here are the steps I take today.
Hypothetically, I sit down at a blank, airgapped computer that is only used for this process, into which I insert whatever media holds the secret master1 I think the formal terminology these days is to call the master key a primary key. I get confused when I hear “primary key” because I think of databases, so I keep saying “master key” in the context of gpg . I realise this is the defense of everyone who was on the wrong side of history when it comes to terminology. I’m not perfect. key.
In[1]:
$ gpg --list-keys && gpg --list-secret-keys
First, we verify the current state of public and secret keys and note the id of the key to be edited.
In[2]:
$ gpg --import-key
Time to kick off by importing the secret master key2 This used to be more complicated with gpg refusing to import secret keys when secret subkeys exist, but it does the right thing now. and then opening the gpg command line for the key.
In[3]:
> expire > key 1 > key 2 > expire > save > ^D
... continue reading