162

Lets say I add an expiration date to a GPG/PGP key, then for some reason am unable to extend the expiration date of the key before its time is up.

Assuming I still have access to the private key (and the public key has only expired, not been revoked) can I still renew it?

aland
  • 3,066
  • 18
  • 26
IQAndreas
  • 4,337

4 Answers4

216

Yes, you can renew it at any time. Here's how to do it:

gpg --list-keys
gpg --edit-key (key id)

Now you're in the gpg console. (By default, you're working on the primary key.) If you need to update a sub-key:

gpg> key 1

Now you can set the expiration for the selected key:

gpg> expire
(follow prompts)
gpg> save

Now that you've updated your key, you can send it out:

gpg --keyserver pgp.mit.edu --send-keys (key id)

And, yes, having an expiration date for your keys is a very good idea. You should never really have a key with no expiration date. If it's compromised, it could be used forever.

Krenair
  • 113
Sauce McBoss
  • 2,523
62

According OpenPGP Best Practices on Riseup.net (archived)1, yes, it is possible, and there don't seem to be any recommendations against it:

People think that they don’t want their keys to expire, but you actually do. Why? Because you can always extend your expiration date, even after it has expired! This “expiration” is actually more of a safety valve or “dead-man switch” that will automatically trigger at some point. If you have access to the secret key material, you can untrigger it. The point is to setup something to disable your key in case you lose access to it (and have no revocation certificate).

[1]: The link now points to an Internet Archive entry as the original one is dead.

toraritte
  • 1,128
IQAndreas
  • 4,337
22

Since I don't want to hijack the excellent answer by Sauce McBoss, here's a quicker way that corresponds to the method shown there:

  1. gpg -Kv --with-subkey-fingerprints (= gpg --list-secret-keys --verbose --with-subkey-fingerprints), since you can only change the expiry of keys you own anyway
    • Note down the primary key fingerprints you want to change
  2. for each fingerprint recorded above do: 
    gpg --quick-set-expire $KEYID $DURATION
gpg --quick-set-expire $KEYID $DURATION '*'
    • first command changes primary key expiry, second one the expiry for all subkeys (use a subkey fingerprint instead of '*' if desired)
    • $KEYID is the ID that unambiguously identifies a key
    • $DURATION is a number of days (default), 0 for no expiration or a number directly followed by w, m, or y to mean weeks, months and years respectively.

Hint: If like me you prefer some "clean" expiry dates, you can use the faketime utility to invoke gpg --quick-set-expire to control the exact time of day for the expiry. Otherwise this will be governed by your current time of day.

Note: may only work reliably if your primary key and subkeys haven't been expired and are deemed valid.

Tested with gpg (GnuPG) 2.2.19.

Respective part from the man page gpg(1):

--quick-set-expire fpr expire [*|subfprs]

With two arguments given, directly set the expiration time of the primary key identified by fpr to expire. To remove the expiration time 0 can be used. With three arguments and the third given as an asterisk, the expiration time of all non-revoked and not yet expired subkeys are set to expire. With more than two arguments and a list of fingerprints given for subfprs, all non-revoked subkeys matching these fingerprints are set to expire.

0xC0000022L
  • 7,544
  • 10
  • 54
  • 94
5

Under Ubuntu, it seems you can manage your keys with a graphical interface by searching for the Keys and Passwords application (Press the super key and type "keys" or etc).

Once it launches, click on "GnuPG keys" on the left, and then on the key you wish to update. You can now click on the calendar icon if it's expired to update the expiration date.

It seems this GUI can also be launched from the command line by typing seahorse.

Ramhound
  • 44,080
CPBL
  • 293
  • 3
  • 8