Blog | G5 Cyber Security

Change GPG Key Expiration Date

G5 Cyber Security

TL;DR

You can’t directly change the expiration date of a key after it’s been sent to a key server. You need to create a new key with the desired expiration date and revoke the old one. This guide explains how.

How to Change Your GPG Key Expiration Date

  1. Generate a New Key
    • Use the gpg --full-generate-key command.
    • When prompted, choose the key type (RSA and RSA is generally fine).
    • Set a new expiration date that matches your needs. Pay attention to this step! You can specify dates like ‘1y’ for one year, ‘5y’ for five years or even ‘0’ for never expire (not recommended).
    • Provide your name, email address and comment.
    • Set a strong passphrase.

    Example:

    gpg --full-generate-key
  2. List Your Keys
    • After generating the new key, list your keys to find their IDs.
    • Use gpg --list-secret-keys --keyid-format long.
    • Note down both the old and new key IDs – you’ll need them later.

    Example output:

    gpg --list-secret-keys --keyid-format long
  3. Revoke Your Old Key
    • This is crucial. Revoking tells others your old key should no longer be trusted.
    • Create a revocation certificate: gpg --output revoke.asc --gen-revoke <old_key_id> (replace <old_key_id> with the actual ID).
    • Distribute the revoke.asc file to key servers. You can use: gpg --send-keys <old_key_id>, but it’s better to upload the revocation certificate directly.

    Example:

    gpg --output revoke.asc --gen-revoke ABCDEF1234567890
  4. Upload Your New Key
    • Send your new key to the key servers: gpg --send-keys <new_key_id>. This makes it available for others to use.

    Example:

    gpg --send-keys 1234567890ABCDEF
  5. Verify the Revocation
    • Check that your old key is marked as revoked on key servers. You can use websites like Keybase or PGP MIT to search for your keys and check their status.

Important Considerations

Exit mobile version