Blog | G5 Cyber Security

Deprecating OpenPGP Subkeys

G5 Cyber Security

TL;DR

When switching to a new OpenPGP subkey pair, don’t just create the new one! Properly deprecate your old subkeys by revoking them and informing key servers. This keeps your communications secure and prevents confusion.

Step-by-step Guide

  1. Generate Your New Subkey Pair: Use GnuPG (GPG) or your preferred OpenPGP software to create a new subkey pair for signing and/or encryption. Ensure it’s created from your master key. 
    gpg --edit-key YOUR_MASTER_KEY_ID
> gensubkey
  2. Verify the New Subkey: Check that the new subkey is correctly listed with your other keys. 
    gpg --list-keys YOUR_EMAIL_ADDRESS
  3. Revoke Old Subkeys: This is crucial! Create a revocation certificate for each old subkey you’re replacing. 
    gpg --output revoke-subkey1.asc --gen-revoke SUBKEY_ID_1
gpg --output revoke-subkey2.asc --gen-revoke SUBKEY_ID_2

    Replace SUBKEY_ID_1 and SUBKEY_ID_2 with the actual key IDs of your old subkeys.

  4. Upload Revocations to Key Servers: Send each revocation certificate to key servers. This tells others that these keys are no longer valid. 
    gpg --send-keys revoke-subkey1.asc
gpg --send-keys revoke-subkey2.asc
  5. Remove Old Subkeys from Your Local Keyring: Delete the old subkeys from your local keyring to avoid accidental use. 
    gpg --delete-key SUBKEY_ID_1
gpg --delete-key SUBKEY_ID_2
  6. Update Your Trusted Key Servers: After removing the keys locally, update your key server records. This ensures consistency. 
    gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys YOUR_MASTER_KEY_ID
gpg --send-key YOUR_MASTER_KEY_ID

    (Replace hkps://keyserver.ubuntu.com with your preferred key server.)

  7. Inform Contacts: Let people you regularly communicate with know about the change. They may need to update their keyrings.
  8. Test Your New Setup: Send and receive encrypted/signed messages using your new subkey pair to confirm everything is working correctly.

Important Considerations

Exit mobile version