Deprecating OpenPGP Subkeys

TL;DR

When switching to a new OpenPGP subkey pair, don’t just create the new one! Properly deprecate your old subkeys by revoking them and informing key servers. This keeps your communications secure and prevents confusion.

Step-by-step Guide

1. Generate Your New Subkey Pair: Use GnuPG (GPG) or your preferred OpenPGP software to create a new subkey pair for signing and/or encryption. Ensure it’s created from your master key.

   gpg --edit-key YOUR_MASTER_KEY_ID
   > gensubkey
   

2. Verify the New Subkey: Check that the new subkey is correctly listed with your other keys.

   gpg --list-keys YOUR_EMAIL_ADDRESS
   

3. Revoke Old Subkeys: This is crucial! Create a revocation certificate for each old subkey you’re replacing.

   gpg --output revoke-subkey1.asc --gen-revoke SUBKEY_ID_1
   gpg --output revoke-subkey2.asc --gen-revoke SUBKEY_ID_2
   

   Replace SUBKEY_ID_1 and SUBKEY_ID_2 with the actual key IDs of your old subkeys.

4. Upload Revocations to Key Servers: Send each revocation certificate to key servers. This tells others that these keys are no longer valid.

   gpg --send-keys revoke-subkey1.asc
   gpg --send-keys revoke-subkey2.asc
   

5. Remove Old Subkeys from Your Local Keyring: Delete the old subkeys from your local keyring to avoid accidental use.

   gpg --delete-key SUBKEY_ID_1
   gpg --delete-key SUBKEY_ID_2
   

6. Update Your Trusted Key Servers: After removing the keys locally, update your key server records. This ensures consistency.

   gpg --keyserver hkps://keyserver.ubuntu.com --recv-keys YOUR_MASTER_KEY_ID
   gpg --send-key YOUR_MASTER_KEY_ID
   

   (Replace hkps://keyserver.ubuntu.com with your preferred key server.)

7. Inform Contacts: Let people you regularly communicate with know about the change. They may need to update their keyrings.
8. Test Your New Setup: Send and receive encrypted/signed messages using your new subkey pair to confirm everything is working correctly.

Important Considerations

• Master Key Security: Always protect your master key! It should be stored offline in a secure location.
• Key Server Propagation Delay: Changes on key servers can take time to propagate (up to 48 hours). Be patient.
• Regular Revocation: If you suspect a subkey has been compromised, revoke it immediately.
• Backup Your Keys: Keep backups of your master key and revocation certificates in a safe place.