Using subkeys to renew an expiring key

David Shaw dshaw at
Tue Aug 29 18:09:23 CEST 2006

On Mon, Aug 28, 2006 at 03:22:23PM -0500, SeidlS at wrote:
> I have been working on a process to encrypt data files and send it to other
> organizations for processing.  As part of this process, we decided to set
> our key to expire every year.  Last year we did not act before the key
> expired and that same day added an additional subkey that would expire in
> September, 2006.  We are now trying to be pro-active and work to "renew"
> the key and distribute it before it expires.

It's not clear what you mean by "set our key to expire every year".
Are you expiring your whole key, or just the additional subkey?

> I have two questions regarding how to "renew" this key.
> 1) Is the correct way to renew the key to add another subkey that expires
> in September, 2007, or is there a better way?

Your choice.  You can extend the expiration of your subkey if you
like.  If the reason you used a 1-year expiration was to limit the use
of the key, then sure, make a new subkey.

> 2) If we do add another subkey that expires in September, 2007, how well
> will the two subkeys work together?  It's going to be difficult to get
> everyone to convert to the updated key in the same day, so we won't be able
> to revoke the subkey at the same time we generate the new one.   Another
> way to say this, we may be encrypting a file with the subkey added, while
> one or more organization may be using the old key (without the new subkey)
> and one or more organizations may be using the new key (with the new
> subkey).  Will this work correctly??

There is a flaw in this question.  Why are you revoking a subkey that
will expire?  After September, 2006, the older subkey won't work.


More information about the Gnupg-users mailing list