rotating encryption sub keys

David Shaw dshaw at
Fri Aug 28 03:49:22 CEST 2009

On Aug 27, 2009, at 6:03 PM, Joseph Oreste Bruni wrote:

> Would it be considered a best practice to rotate encryption subkeys  
> on an annual basis, or would that be considered overkill for most  
> uses?

It depends on what you're trying to do. :)

> I realize that messages are encrypted using ephemeral session keys  
> which in turn are encrypted with public keys. Considering the small  
> amount of data (i.e. sessions keys) being encrypted using public  
> keys, are ciphertext attacks really even feasible?

Not really, no.  I wouldn't rotate encryption keys for that reason,  
but there are other reasons that might be more useful for you.  For  
example, if, when you make a new subkey, you also destroy the old one,  
you give yourself forward security.  All messages that were encrypted  
to the earlier key cannot be decrypted by anyone (including you).  At  
an extreme, you could use a new encryption subkey per-message  
(something which the keyserver operators would no doubt be thrilled  
about).  This is not generally useful, though, as most people do want  
the ability to go back and review their old messages.

Incidentally, there have been proposals to add forward security  
extensions to OpenPGP.  See


More information about the Gnupg-users mailing list