james/blog
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
468783dce705d25d7ea8edff2039c87517756319
blog/content/posts/2019-04-30-gpg-update.md
T
james 468783dce7 Add GPG Update article
2019-04-30 14:33:37 +02:00

101 lines
2.3 KiB
Markdown
Raw Blame History

---
title: Update expiry of GPG keys with separate master key
date: 2019-04-30
author: James McDonald
type: post
categories:
- Tech
---
It's nice and cosy and secure to have a separate GPG master key as described in
many articles, for example https://wiki.debian.org/Subkeys. It's also a good
idea to set expiry dates on these keys so that if all else fails, at least they
will only work for so long. But that means that every expiry interval you need
to update the expiry dates to keep using the keys. And of course, like me, you
totally remember how to do that a year (or a month, or 10 minutes) later. Right?
So I wrote it down.
For this recipe, you will need:
* One backup of your original master key, ideally in ASCII-armoured (`.asc`) format
* The passphrase for your original master key
* One GPG2, at least version 2.1
* One Docker, optional
You can do all of this in a Docker container to keep things nicely separated.
You don't have to. I create a temporary `GNUPGHOME` anyway, just to be
cautious.
```
docker run -ti --rm debian
apt-get update && apt-get install -y gnupg2
```
Create a temporary GPG home and import your master key backup
```
export GNUPGHOME=$(mktemp -d)
gpg --import
```
Just paste your master key into the terminal, or however else you want to get it into the container. Obviously look for people standing behind you scribbling furiously. You will be asked for your passphrase.
The output will include something like:
```
gpg: key 1234ABCD1234ABCD: public key "Your Name <you@example.com>" imported
```
Stick that key ID in a variable.
```
export ID=1234ABCD1234ABCD
```
Now edit the expiry date on the master key and all subkeys. I have 3 subkeys
(encrypt, sign and auth), so that's what you see in my example.
```
gpg --edit-key $ID
expire
1y
y
# Select however many subkeys you have
key 1
key 2
key 3
expire
y
1y
y
save
```
Optionally, make a fresh backup. Copying it somewhere is left as an exercise
for the reader.
```
gpg -a --export-secret-key master > master-backup.asc
```
Push your updated public keys.
```
gpg --send-keys $ID
```
Clean up
```
rm -rf $GNUPGHOME
```
Exit your shell and Docker will clean up the container.
That's it! On your other machines, retrieve the updated public keys with the
new expiry date.
```
gpg --recv-keys masterkeyid
```
Reference in New Issue View Git Blame Copy Permalink