Extending Expiration dates of gnupg keys with the private key residing on a smart card

Peter Lebbing peter at digitalbrains.com
Sun Apr 30 20:32:21 CEST 2017


On 10/04/17 10:46, Johannes Graumann wrote:
> 2) Import offline master key (backup):
> gpg --import <KEYID>.master.key

- Which version of GnuPG is this? GnuPG 1.4 will not ever update the
secret part of a key, so you'll have to delete the existing copy first.
Be very careful! You're deleting a copy of your secret key, make sure
you know what you're doing. I believe this also went for 2.0 and only
2.1 can update secret keys, but I'm not sure and can't check from the
passenger seat of the car I'm in :-D.

- Note that you are negating a large part of an offline master key by
bringing it online. Usually, you'd use a different computer to do master
key operations on, a computer that doesn't have an internet connection.
If you're worried about your computer being hacked, note it usually
won't suddenly automatically become un-hacked later, it'll just stay
hacked until reinstalled. But there is no single correct answer to this.

> 3) Edit expiry of subkeys (pubkey):
> gpg --expert --edit-key <KEYID>

You shouldn't need to specify --expert to extend expiries.

> - toggle keys 1, 2, 3 (sign, encrypt, authentication)
> - expire: 1y
> - save
> 4) Remove secret master keys:
> gpg --delete-secret-keys <KEYID>

This has just removed all your private keys belonging to this
certificate, primary *and* subkeys.

> As a result the keys remain unavailable (expired?) to all means I
> intent to use them with (kmail/kgpg/kleopatra, evolution/seahorse,
> etc.).

... You /did/ just delete all keys :-).

You'll need to restore your private key from backup, and follow the
instructions you used earlier to create a subkey-only keyring.

By the way, it helps if you post the output of the commands, because we
can't see if they appear to have worked correctly. I mean the console
ones; I wouldn't start with all the effort of taking screenshots and
cropping them and uploading them to the web...



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <http://digitalbrains.com/2012/openpgp-key-peter>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170430/20b186aa/attachment.sig>

More information about the Gnupg-users mailing list