Subkeys renewing/expiring strategy

nect bynect at
Tue Oct 11 17:23:49 CEST 2022


I started using gpg relatively recently (1 year or so), mainly for
signing git commits, and I am far from mastering it.

Since I was struggling to choose a strategy for expiring/renewing my
subkeys (more details below) I decided to seek expert advice (hopefully
this is the right place).

At the moment, I have my primary key (with no expiry) stored on a
offline drive.
I created the key 1 year ago, alongside a set of subkeys whose expiry
was due in 1 year.
Since they recently expired, I created another triplet of subkeys (sign,
author, encrypt) and started using them instead of the old ones.

Now, when I was doing this I realized that this strategy is not
particularly good, especially in the long run,
since you have to recreate every year (or 2) the new subkeys and let the
old ones expire (losing some trust?).
Also, uploading the new keys to every website that you use (eg GitLab)
is quite the annoying chore.

So, I was wondering what's the best strategy I can use to keep my
(sub)keys valid without compromising on security.
Is bumping the expiry date every year or so a better solution?
Also, are subkeys with unlimited expiry bad, or am I just being carried


PS: I would also like to add that is not related to any professional
I am just trying to learn how to use gpg correctly (mainly to satisfy my
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Gnupg-users mailing list