Following are some of my notes and how-tos on creating, and managing PGP keys.
Here is a link to a website with some very good information and best practices for managing keys:
https://help.riseup.net/en/security/message-security/openpgp/best-practices
Most of this article deals with the concept of setting a expiration date on a set of keys to a reasonable time and how you can update that key as time goes by. Separate to the creation and publishing of your public key, you should set a reminder in whatever calendar system you are using to remind you to update the expiration date BEFORE it does actually expire a couple of weeks ahead of time. I typically set my keys to expire in 13 months and set my calendar to remind me after 12 or so months.
1) Creating a key set and distributing your public key:
As mentioned, and when prompted, set a reasonable expiration time. Also create a revocation cert. See the aforementioned link for details.
- To create a key:
$ gpg2 --gen-key
- List keys:
$ gpg2 --list-keys
/data/home/rchapin/.gnupg/pubring.gpg
-------------------------------------
pub 4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
uid Ryan Chapin <rchapin@nbinteractive.com>
sub 4096R/-------- 2015-03-26 [expires: 2019-03-14]
- Distribute Public Key (use hkps, encrypted connection)
$ gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys E5170CE8
2) Searching for keys and verifying that they have been posted to a public keyserver:
- List your keys
$ gpg2 --list-keys
/data/home/rchapin/.gnupg/pubring.gpg
-------------------------------------
pub 4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
uid Ryan Chapin <rchapin@nbinteractive.com>
sub 4096R/-------- 2015-03-26 [expires: 2019-03-14]
The public key for this user is E5170CE8. The 4096R indicates that it is 4096 bits.
- Searching for the key:
To search for the key via a key server such as https://pgp.mit.edu/ enter the following in the search string
0xE5170CE8
Make sure to prefix the hex value of the key with 0x to indicate to the keyserver that is a hex value and not an ASCII string.
3) Update the expiration date of a key:
- List the keys:
- List your keys
$ gpg2 --list-keys
/data/home/rchapin/.gnupg/pubring.gpg
-------------------------------------
pub 4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
uid Ryan Chapin <rchapin@nbinteractive.com>
sub 4096R/-------- 2015-03-26 [expires: 2019-03-14]
- Edit the key:
$ gpg2 --edit-key E5170CE8
- Select the key to edit, and then run the expire command. Select the amount of time afterwhich the key will expire and follow the prompts to enter your passphrase.
gpg> key 0
gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 13m
Key expires at Thu 14 Mar 2019 08:42:22 AM EDT
Is this correct? (y/N) y
You need a passphrase to unlock the secret key for
user: "Ryan Chapin <rchapin@nbinteractive.com>"
4096-bit RSA key, ID E5170CE8, created 2015-03-26
- Select the sub-key (1) and repeat the process
- Save the key
gpg> save
- Send the updated key to a keyserver
$ gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys E5170CE8
- Or you can export an ASCII-armored PGP key and upload it via a trusted https keyserver.
$ gpg2 --armor --export <your-email-address>
