Secret Key replacement

Joseph Oreste Bruni jbruni at
Wed Sep 2 06:41:34 CEST 2009

On Sep 1, 2009, at 10:51 AM, Seidl, Scott wrote:

> We use gnupg in an automated mode within the organization to encrypt/ 
> decrypt documents exchanged between companies.  The Key Pair we have  
> is expiring soon and I am replacing it with a new key pair.  This  
> new key would be provided to the other companies before the other  
> expires.
> I have a couple questions about the existing public keys we have  
> imported to our key ring.
> 1 – it’s my belief that I have to sign/trust each of the keys with  
> the new secret key, is that correct?
> 2 – Is there any command to do a mass sign or must I do a gpg –u  
> XXXXXXX --edit-key YYYYYYfor each key?
> 3 – What other items am I not thinking of?
> Thanks
> Scott Seidl
> seidls at

One thing you could try is implement a corporate certification-only  
key, used for certifying others' keys. You would have a second keypair  
used for signing, encryption, and conducting regular business.

Your encryption keypair could expire as normal, but your certifying  
key would not. Then you would set up your trust system to only trust  
those keys signed by your corporate certification key.

Since your certification key doesn't expire (or at least not as  
frequently), you would save yourself the trouble of having to re- 
certify all your partners' keys.


More information about the Gnupg-users mailing list