Pass expiration date param to subkey only via unattended key generation

s7r s7r at
Tue Oct 4 23:21:19 CEST 2022

Dear All,


A script will create on demand GPG keys unattended that will be further 
used to automatically sign a document, but the requirement is that they 
must also include an Encryption subkey to receive feedback securely.

Question is: keys can be generated unattended just fine, except I did 
not find a clear way to pass an Expire date param to the encryption 
subkey only, and not the primary key as well. The requirement is that 
the primary key must NEVER expire and the encryption subkey MUST expire 
in 2 years.


Key-Type: eddsa
Key-Curve: ed25519
Key-Usage: sign, cert, auth
Name-Real: Test
Name-Email: test at
Expire-Date: 0
Subkey-Type: ecdh
Subkey-Curve: cv25519
Subkey-Usage: encrypt

How to pass an expiration date ONLY for the encryption subkey while 
leaving the primary key with no expiration date?

(I know that this goal can be later achieved by using $ gpg --edit-key 
but I am looking for a solution within the unattended key generation itself)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list