Creating, Updating Expiration of and Posting PGP Keys

Following are some of my notes and how-tos on creating, and managing PGP keys.

Here is a link to a website with some very good information and best practices for managing keys:
https://help.riseup.net/en/security/message-security/openpgp/best-practices

Most of this article deals with the concept of setting a expiration date on a set of keys to a reasonable time and how you can update that key as time goes by.  Separate to the creation and publishing of your public key, you should set a reminder in whatever calendar system you are using to remind you to update the expiration date BEFORE it does actually expire a couple of weeks ahead of time.  I typically set my keys to expire in 13 months and set my calendar to remind me after 12 or so months.

1) Creating a key set and distributing your public key:

As mentioned, and when prompted, set a reasonable expiration time.  Also create a revocation cert.  See the aforementioned link for details.

– To create a key:
$ gpg2 –gen-key

– List keys:
$ gpg2 –list-keys
/data/home/rchapin/.gnupg/pubring.gpg
————————————-
pub   4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
uid                  Ryan Chapin <rchapin@nbinteractive.com>
sub   4096R/——– 2015-03-26 [expires: 2019-03-14]

– Distribute Public Key (use hkps, encrypted connection)
$ gpg2 –keyserver hkps://hkps.pool.sks-keyservers.net –send-keys E5170CE8

2) Searching for keys and verifying that they have been posted to a public keyserver:

– List your keys
$ gpg2 –list-keys
/data/home/rchapin/.gnupg/pubring.gpg
————————————-
pub   4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
uid                  Ryan Chapin <rchapin@nbinteractive.com>
sub   4096R/——– 2015-03-26 [expires: 2019-03-14]

The public key for this user is E5170CE8.  The 4096R indicates that it is 4096 bits.

– Searching for the key:
To search for the key via a key server such as https://pgp.mit.edu/ enter the following in the search string

  0xE5170CE8

Make sure to prefix the hex value of the key with 0x to indicate to the keyserver that is a hex value and not an ASCII string.

3) Update the expiration date of a key:

– List the keys:

– List your keys
$ gpg2 –list-keys
/data/home/rchapin/.gnupg/pubring.gpg
————————————-
pub   4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
uid                  Ryan Chapin <rchapin@nbinteractive.com>
sub   4096R/——– 2015-03-26 [expires: 2019-03-14]

– Edit the key:
$ gpg2 –edit-key E5170CE8

– Select the key to edit, and then run the expire command.  Select the amount of time afterwhich the key will expire and follow the prompts to enter your passphrase.

gpg> key 0
gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 13m
Key expires at Thu 14 Mar 2019 08:42:22 AM EDT
Is this correct? (y/N) y

You need a passphrase to unlock the secret key for
user: “Ryan Chapin <rchapin@nbinteractive.com>”
4096-bit RSA key, ID E5170CE8, created 2015-03-26

– Select the sub-key (1) and repeat the process

– Save the key
gpg> save

– Send the updated key to a keyserver
$ gpg2 –keyserver hkps://hkps.pool.sks-keyservers.net –send-keys E5170CE8

– Or you can export an ASCII-armored PGP key and upload it via a trusted https keyserver.

$ gpg2 –armor –export <your-email-address>

Leave a Reply