From: W. Trevor King Date: Sun, 27 May 2012 11:25:00 +0000 (-0400) Subject: Update GnuPG maintenance to use --expert. X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=1b41cd55351d7d7bec0340813b5bcb00800b521f;p=blog.git Update GnuPG maintenance to use --expert. --- diff --git a/posts/GnuPG_maintenance.mdwn b/posts/GnuPG_maintenance.mdwn index 17db629..675907c 100644 --- a/posts/GnuPG_maintenance.mdwn +++ b/posts/GnuPG_maintenance.mdwn @@ -1,8 +1,8 @@ It's a good idea to periodically replace old [[PGP]] encryption keys to minimize the amount of data exposed by cracking the old key. - $ gpg --edit-key F15F5BE8 - ... + $ gpg --expert --edit-key F15F5BE8 + … pub 1024D/F15F5BE8 created: 2008-08-09 expires: 2011-08-08 usage: SC trust: ultimate validity: ultimate sub 2048g/42407C74 created: 2008-08-09 expired: 2009-08-09 usage: E @@ -18,9 +18,14 @@ The usage characters are: * c = certify (sign another key) * a = authenticate (e.g. log in to SSH with a PGP key) -See `doc/DETAILS` in the GnuPG source directory for details on the +See `doc/DETAILS` in the [[GnuPG]] source directory for details on the output format (and the related colon listing format). +If your primary key has expired, you can extend its expiration time +with + + gpg> expire + Note that my encryption keys have expired. This makes it hard for people to send me encrypted mail. Create a new encryption key with @@ -32,8 +37,11 @@ pick RSA for signing, since DSA keys are limited to 1024 bits, see [ssh-keygen(1)][keygen]). There doesn't seem to be much to [differentiate Elgamml vs. RSA for -encryption][diff]. I pick Elgamal for encryption since I've already -picked RSA for signing, and this spreads my eggs across more baskets. +encryption][diff]. With the `--expert` mode, you can select + + RSA (set your own capabilities) + +so that's what I do (since then I only need one subkey for all tasks). Several `gpg` operations require a particular subkey to be selected. Use `key` to select subkeys by index (marked with a `*`):