Update GnuPG maintenance to use --expert.

diff --git a/posts/GnuPG_maintenance.mdwn b/posts/GnuPG_maintenance.mdwn
index 17db6292df368c9c4b79a88b78c9705ea1741c82..675907c1ce3300e9a380ae1fc36da0ad82f346d9 100644 (file)
--- a/posts/GnuPG_maintenance.mdwn
+++ b/posts/GnuPG_maintenance.mdwn
@@ -1,8 +1,8 @@
 It's a good idea to periodically replace old [[PGP]] encryption keys
 to minimize the amount of data exposed by cracking the old key.
 
-    $ gpg --edit-key F15F5BE8
-    ...
+    $ gpg --expert --edit-key F15F5BE8
+    …
     pub  1024D/F15F5BE8  created: 2008-08-09  expires: 2011-08-08  usage: SC  
                          trust: ultimate      validity: ultimate
     sub  2048g/42407C74  created: 2008-08-09  expired: 2009-08-09  usage: E   
@@ -18,9 +18,14 @@ The usage characters are:
 * c = certify (sign another key)
 * a = authenticate (e.g. log in to SSH with a PGP key)
 
-See `doc/DETAILS` in the GnuPG source directory for details on the
+See `doc/DETAILS` in the [[GnuPG]] source directory for details on the
 output format (and the related colon listing format).
 
+If your primary key has expired, you can extend its expiration time
+with
+
+    gpg> expire
+
 Note that my encryption keys have expired.  This makes it hard for
 people to send me encrypted mail.  Create a new encryption key with
 
@@ -32,8 +37,11 @@ pick RSA for signing, since DSA keys are limited to 1024 bits, see
 [ssh-keygen(1)][keygen]).
 
 There doesn't seem to be much to [differentiate Elgamml vs. RSA for
-encryption][diff].  I pick Elgamal for encryption since I've already
-picked RSA for signing, and this spreads my eggs across more baskets.
+encryption][diff].  With the `--expert` mode, you can select
+
+    RSA (set your own capabilities)
+
+so that's what I do (since then I only need one subkey for all tasks).
 
 Several `gpg` operations require a particular subkey to be selected.
 Use `key` to select subkeys by index (marked with a `*`):