This post is a step-by-step tutorial on how to extend the expiration date of your GPG keys or reset it in case the keys have already expired. But, before we go through how to change the date, I’d like to write a few things about why setting an expiration date on your GPG keys is important.



The importance of the GPG/PGP key expiration date

Most people set their GPG keys to never expire. There is no problem with that. Unless they lose the private key or it gets stolen or they just forget its passphrase. In such a case, the public key, which has probably been published to several key servers around the world and retrieved by an arbitrary number of other people, is practically useless and, apart from removing it from some of the keyservers, they can do absolutely nothing else about it, unless, of course, they had previously generated a revocation certificate for the public key and they still have access to this certificate. In those not so rare cases that the revocation certificate is not available, the only way to let those who have already grabbed a copy of the public key know that they should not use that key any more is by notifying them directly, which is not always possible since the actual number of the holders of that specific public key is not known.

Setting an expiration date on your keys is a very good security measure. It lets the holders of the public key know the key’s end-of-life date. On the other hand, you can always extend the key’s expiration date and send the updated key to the key servers. When others find out that your public key has expired, the very first thing they do will be to refresh it from a key server, in which case they’ll retrieve your updated public key. Even if you lose the private key or forget the passphrase or even lose the revocation certificate too, a time will come that the public key will expire, which indicates that it is invalid and should not be trusted any more. This is important.

Change the expiration date of a GPG key

In this section I describe how to extend or reset a key’s expiration date using gpg from the command line. There are probably several graphical front-ends out there that might simplify this procedure, but, since graphical frontends are not usually cross-platform, I choose to use the command-line gpg utility. So, here is how we do it.

First of all, you have to know the ID of the key you need to edit:

$ gpg --list-keys pub 1024D/B989893B 2007-03-07 [expired: 2009-12-31] uid George Notaras <gnotaras@example.org> sub 4096g/320D81EE 2007-03-07 [expired: 2009-12-31]

The ID in question is B989893B, so we edit the key with that ID:

$ gpg --edit-key B989893B

You should have entered the gpg shell by now. To see a list of the available commands you can always invoke the help command.

First of all, list the keys so you know what you are editing:

gpg> list pub 1024D/B989893B created: 2007-03-07 expired: 2009-12-31 usage: SCA trust: ultimate validity: ultimate sub 4096g/320D81EE created: 2007-03-07 expired: 2009-12-31 usage: E [ ultimate] (1). George Notaras <gnotaras@example.org>

By default, no subkey (sub) is selected, which means that we work on the primary key (pub). It is possible to select the subkey you will be working on by invoking the key command followed by the number (index) of the subkey you wish to select. If no arguments or index ‘0’ is passed to the key command, any subkey is deselected and you will be working on the primary key.

gpg> key 0 pub 1024D/B989893B created: 2007-03-07 expired: 2009-12-31 usage: SCA trust: ultimate validity: ultimate sub 4096g/320D81EE created: 2007-03-07 expired: 2009-12-31 usage: E [ ultimate] (1). George Notaras <gnotaras@example.org>

Now use the expire command to set an expiration time for the primary key.

gpg> expire Changing expiration time for the primary key. Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 2y Key expires at 10/28/12 03:51:07 Is this correct? (y/N) y You need a passphrase to unlock the secret key for user: "George Notaras <gnotaras@example.org>" 1024-bit DSA key, ID NNNNNNNN, created 2007-03-07 pub 1024D/B989893B created: 2007-03-07 expires: 2012-10-28 usage: SCA trust: ultimate validity: ultimate sub 4096g/320D81EE created: 2007-03-07 expired: 2009-12-31 usage: E [ ultimate] (1). George Notaras <gnotaras@example.org>

The output above indicates that the expiration date of the primary public key has been set to 2012-10-28. Note that, the expiration date has also been changed on your primary private key of the keypair. You can issue the toggle command to verify the private key’s expiration date. Don’t worry about that. It is the private subkeys, which never expire, that are actually used when you decrypt and sign data. Read more on this in a special note at the end of this section. For now, just issue the toggle command once again to return to public key editing mode.

In this example case, there is one public subkey on which we need to set a new expiration date. That’s key number 1. We select that with the key command:

gpg> key 1 pub 1024D/B989893B created: 2007-03-07 expires: 2012-10-28 usage: SCA trust: ultimate validity: ultimate sub* 4096g/320D81EE created: 2007-03-07 expired: 2009-12-31 usage: E [ ultimate] (1). George Notaras <gnotaras@example.org>

Set a new expiration time on that subkey by invoking the expire command:

gpg> expire Changing expiration time for a subkey. Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) 2y Key expires at 10/28/12 03:02:43 Is this correct? (y/N) y You need a passphrase to unlock the secret key for user: "George Notaras <gnotaras@example.org>" 1024-bit DSA key, ID NNNNNNNN, created 2007-03-07 pub 1024D/B989893B created: 2007-03-07 expires: 2012-10-28 usage: SCA trust: ultimate validity: ultimate sub* 4096g/320D81EE created: 2007-03-07 expires: 2012-10-28 usage: E [ ultimate] (1). George Notaras <gnotaras@example.org>

Now it seems that everything is set up fine. You have changed the expiration dates of your keys. You can always use the list command to list the keys. Use the toggle command to toggle between public and private key editing mode.

As a final step you need to save your changes. Invoke the save command.

gpg> save

So, now you can update the public key that is stored on the various keyservers. To achieve this use the following command. In this example, the keyserver at pgp.mit.edu is used.

$ gpg --keyserver pgp.mit.edu --send-keys B989893B gpg: sending key B989893B to hkp server pgp.mit.edu

Enjoy.

Important Note

If you tried to use the expire command in private key editing mode, you would notice that it is not possible to change the expiration date of any subkeys in this mode. Actually, the private subkeys never expire. Although, I haven’t investigated this, common sense indicates that, since private subkeys are used to sign and decrypt data and that they are not meant to be distributed, it wouldn’t make any sense if they expired.

Theoritically speaking, the owner of an expired private key should still have the ability to decrypt data and also be able to sign data, even if all public subkeys of the current keypair have expired, since it is always possible to reset the expiration date on the currently expired public keys.

As I mentioned earlier, I haven’t investigated this, but I think that non-expiring private keys make a lot of sense.

Final Thoughts

This article described in detail how to change the expiration date of GPG/PGP keys. This should be a standard key maintenance procedure if you set an expiration date on your keys.

Setting an expiration date on your keys is not mandatory as long as you have taken other measures to protect the private key and the public key’s revocation certificate by backing it up and storing it at another location. But, in general, it is a good habit as explained in this article’s introduction. I by no means am a GPG/PGP expert. I wrote this guide because I realized that most people do not set an expiration date on their keys because they do not know how to change it and extend the key’s life or because they have not realized the importance of the expiration date or simply because they do not care. I hope you find this tutorial useful and start setting an expiration date on your keys from now on.

How to change the expiration date of a GPG key by George Notaras is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Copyright © 2010 - Some Rights Reserved