1 It's a good idea to periodically replace old [[PGP]] encryption keys
2 to minimize the amount of data exposed by cracking the old key.
4 $ gpg --expert --edit-key F15F5BE8
6 pub 1024D/F15F5BE8 created: 2008-08-09 expires: 2011-08-08 usage: SC
7 trust: ultimate validity: ultimate
8 sub 2048g/42407C74 created: 2008-08-09 expired: 2009-08-09 usage: E
9 sub 2048g/4DA3FC0B created: 2009-07-26 expired: 2010-08-08 usage: E
10 sub 1024D/EB357E60 created: 2009-07-26 expired: 2010-08-08 usage: S
11 [ultimate] (1). William Trevor King <wking@drexel.edu>
12 [ultimate] (2) William Trevor King <tvrkng@gmail.com>
14 The usage characters are:
18 * c = certify (sign another key)
19 * a = authenticate (e.g. log in to SSH with a PGP key)
21 See `doc/DETAILS` in the [[GnuPG]] source directory for details on the
22 output format (and the related colon listing format).
24 If your primary key has expired, you can extend its expiration time
29 Note that my encryption keys have expired. This makes it hard for
30 people to send me encrypted mail. Create a new encryption key with
34 Answering the prompts as you see fit (I usually pick Elgamal for
35 encryption). You can also add signing keys with `addkey` (I usually
36 pick RSA for signing, since DSA keys are limited to 1024 bits, see
37 [ssh-keygen(1)][keygen]).
39 There doesn't seem to be much to [differentiate Elgamml vs. RSA for
40 encryption][diff]. With the `--expert` mode, you can select
42 RSA (set your own capabilities)
44 so that's what I do (since then I only need one subkey for all tasks).
46 Several `gpg` operations require a particular subkey to be selected.
47 Use `key` to select subkeys by index (marked with a `*`):
51 pub 1024D/F15F5BE8 created: 2008-08-09 expires: 2012-05-24 usage: SC
52 trust: ultimate validity: ultimate
53 sub* 2048g/42407C74 created: 2008-08-09 expired: 2009-08-09 usage: E
54 sub 2048g/4DA3FC0B created: 2009-07-26 expired: 2010-08-08 usage: E
55 sub 1024D/EB357E60 created: 2009-07-26 expired: 2010-08-08 usage: S
56 sub 2048g/3FB721E8 created: 2011-05-25 expires: 2012-05-24 usage: E
57 sub 2048R/9CADC4D9 created: 2011-05-25 expires: 2012-05-24 usage: S
58 [ultimate] (1). William Trevor King <wking@drexel.edu>
59 [ultimate] (2) William Trevor King <tvrkng@gmail.com>
61 If you get confused, there's also a `help` command.
63 Save and quit when you're done:
67 Once you've got your key all fixed up, upload the new version to your
70 $ gpg --send-keys F15F5BE8
72 You probably also want to post your new key somewhere on your website:
74 $ gpg --export --armor -o ~/.gnupg/pubkey.txt F15F5BE8
75 $ scp ~/.gnupg/pubkey.txt you@somewhere:public_html/pubkey.txt
80 Here are some quick notes on checking signatures:
82 $ gpg --check-sigs F15F5BE8
84 will list the status of signatures for which you have the signing key
85 in your keyring. However, if you are missing one of the signing keys,
86 you may get a message like
88 10 signatures not checked due to missing keys
92 $ gpg --list-sigs F15F5BE8
94 you'll see all the signatures, and you can use the usual `gpg --recv-key
95 KEYID` to check out the ones you don't have.
100 If you get a new email account, you'll want to add it to your key.
102 $ gpg --edit-key F15F5BE8
106 Optionally make the new ID your primary ID.
111 Finall, save your changes.
115 Don't worry about the `[unknown]` trust level next to your new ID.
116 Once you've saved the key, it will change to `[ultimate]`. I imagine
117 the initial `[unknown]` listing is because you haven't officially
118 confirmed the new ID's signature by saving your changes.
120 Inspecting GnuPG files
121 ----------------------
123 If you want to see what's inside a GnuPG-generated file (e.g. you
124 forgot which subkeys are in the ASCII-armored public key you published
125 earlier), you can use:
127 $ gpg --list-packets ~/.gnupg/pubkey.txt
129 version 4, algo 17, created 1218318982, expires 0
131 :public sub key packet:
132 version 4, algo 16, created 1218319006, expires 0
134 keyid: 7C572F3442407C74
137 [keygen]: http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1
138 [diff]: http://www.samsimpson.com/static/pgpfaq#SubRSADH