Creating, Updating Expiration of and Posting PGP Keys

Following are my notes and how-tos on creating, and managing PGP keys.

Here is a link to a website with some very good information and best practices for managing keys.

Most of this article deals with the concept of setting an expiration date on a set of keys to a reasonable time and how you can update that key as time goes by.  You should set a reminder in whatever calendar system you are using to remind you to update the expiration date BEFORE it does actually expire a couple of weeks ahead of time.  I typically set my keys to expire in 13 months and set my calendar to remind me after 12 or so months.

Creating a key set and distributing your public key

As mentioned, and when prompted, set a reasonable expiration time.  Also create a revocation cert.  See the aforementioned link for details.

Create a key

gpg2 --gen-key

List keys

gpg2 --list-keys
/data/home/rchapin/.gnupg/pubring.gpg
-------------------------------------
pub   4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
uid                  Ryan Chapin <rchapin@nbinteractive.com>
sub   4096R/-------- 2015-03-26 [expires: 2019-03-14]

Distribute Public Key (use hkps, encrypted connection)

gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys E5170CE8

Searching for keys and verifying that they have been posted to a public keyserver

List your keys

gpg2 --list-keys
/data/home/rchapin/.gnupg/pubring.gpg
-------------------------------------
pub   4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
uid                  Ryan Chapin <rchapin@nbinteractive.com>
sub   4096R/-------- 2015-03-26 [expires: 2019-03-14]

The public key for this user is E5170CE8.  The 4096R indicates that it is 4096 bits.

Searching for the key

To search for the key via a key server such as https://pgp.mit.edu/ enter the following in the search string

0xE5170CE8

Make sure to prefix the hex value of the key with 0x to indicate to the keyserver that is a hex value and not an ASCII string.

Update the expiration date of a key:

List your keys

gpg2 --list-keys
/data/home/rchapin/.gnupg/pubring.gpg
-------------------------------------
pub   4096R/E5170CE8 2015-03-26 [expires: 2019-03-14]
uid                  Ryan Chapin <rchapin@nbinteractive.com>
sub   4096R/-------- 2015-03-26 [expires: 2019-03-14]

Edit the key

gpg2 --edit-key E5170CE8

Select the key to edit, and then run the expire command

Select the amount of time after which the key will expire and follow the prompts to enter your passphrase.

gpg> key 0
gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 13m
Key expires at Thu 14 Mar 2019 08:42:22 AM EDT
Is this correct? (y/N) y
You need a passphrase to unlock the secret key for
user: "Ryan Chapin <rchapin@nbinteractive.com>"
4096-bit RSA key, ID E5170CE8, created 2015-03-26

Select the sub-key (1) and repeat the process

Save the key

gpg> save

Send the updated key to a keyserver

gpg2 --keyserver hkps://hkps.pool.sks-keyservers.net --send-keys E5170CE8

Or you can export an ASCII-armored PGP key and upload it via a trusted https keyserver.

 gpg2 --armor --export <your-email-address> > <your-uid>.asc

Then you can upload it via a web interface similar to this one.

Leave a Reply