It's a good idea to periodically replace old [[PGP]] encryption keys
to minimize the amount of data exposed by cracking the old key.

    $ gpg --edit-key F15F5BE8
    ...
    pub  1024D/F15F5BE8  created: 2008-08-09  expires: 2011-08-08  usage: SC  
                         trust: ultimate      validity: ultimate
    sub  2048g/42407C74  created: 2008-08-09  expired: 2009-08-09  usage: E   
    sub  2048g/4DA3FC0B  created: 2009-07-26  expired: 2010-08-08  usage: E   
    sub  1024D/EB357E60  created: 2009-07-26  expired: 2010-08-08  usage: S   
    [ultimate] (1). William Trevor King <wking@drexel.edu>
    [ultimate] (2)  William Trevor King <tvrkng@gmail.com>

The usage characters are:

* e = encrypt/decrypt
* s = sign
* c = certify (sign another key)
* a = authenticate (e.g. log in to SSH with a PGP key)

See `doc/DETAILS` in the GnuPG source directory for details on the
output format (and the related colon listing format).

Note that my encryption keys have expired.  This makes it hard for
people to send me encrypted mail.  Create a new encryption key with

    gpg> addkey

Answering the prompts as you see fit (I usually pick Elgamal for
encryption).  You can also add signing keys with `addkey` (I usually
pick RSA for signing, since DSA keys are limited to 1024 bits, see
[ssh-keygen(1)][keygen]).

There doesn't seem to be much to [differentiate Elgamml vs. RSA for
encryption][diff].  I pick Elgamal for encryption since I've already
picked RSA for signing, and this spreads my eggs across more baskets.

Several `gpg` operations require a particular subkey to be selected.
Use `key` to select subkeys by index (marked with a `*`):

    gpg> key 1
    
    pub  1024D/F15F5BE8  created: 2008-08-09  expires: 2012-05-24  usage: SC  
                         trust: ultimate      validity: ultimate
    sub* 2048g/42407C74  created: 2008-08-09  expired: 2009-08-09  usage: E   
    sub  2048g/4DA3FC0B  created: 2009-07-26  expired: 2010-08-08  usage: E   
    sub  1024D/EB357E60  created: 2009-07-26  expired: 2010-08-08  usage: S   
    sub  2048g/3FB721E8  created: 2011-05-25  expires: 2012-05-24  usage: E   
    sub  2048R/9CADC4D9  created: 2011-05-25  expires: 2012-05-24  usage: S   
    [ultimate] (1). William Trevor King <wking@drexel.edu>
    [ultimate] (2)  William Trevor King <tvrkng@gmail.com>

If you get confused, there's also a `help` command.

Save and quit when you're done:

    gpg> save

Once you've got your key all fixed up, upload the new version to your
chosen keyserver:

    $ gpg --send-keys F15F5BE8

You probably also want to post your new key somewhere on your website:

    $ gpg --export --armor -o ~/.gnupg/pubkey.txt F15F5BE8
    $ scp ~/.gnupg/pubkey.txt you@somewhere:public_html/pubkey.txt

Checking signatures
-------------------

Here are some quick notes on checking signatures:

    $ gpg --check-sigs F15F5BE8

will list the status of signatures for which you have the signing key
in your keyring.  However, if you are missing one of the signing keys,
you may get a message like

    10 signatures not checked due to missing keys

If you run

    $ gpg --list-sigs F15F5BE8

you'll see all the signatures, and you can use the usual `gpg --recv-key
KEYID` to check out the ones you don't have.

[keygen]: http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1
[diff]: http://www.samsimpson.com/static/pgpfaq#SubRSADH

[[!tag tags/fun]]
[[!tag tags/linux]]