Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Tuesday, 12 February 2013

GPG key managment

As all good boys did, I (relatively) recently generated a nice shiny new GPG key, all 4096 bits of it.  I have switched everything over to this key and have been happy.  Today I was wondering whatever happened to the old key.  After some minutes trying to remember what the passphrase (oops) I finally managed to find and open the key.

Time it seems to revoke it so that I never have to worry about it again (and before I forget the passphrase for good).  Revoking a key essentially puts an end date on the key, it says any use of the key after this date is definitively invalid.  Luckily revoking a key (that you can remember the passphrase for) is relatively simple:
gpg --edit key
gpg> revoke
gpg> save
gpg --send-key
While I was at it I started to wonder about losing keys and how one guards against total loss of a key.  The received wisdom is to set an expiration date on your key.  These may be extended at any time, even after the key has technically expired, assuming you still have the private key.  If you do not then at least the key will automatically fall out of use when it expires.  Adding an expiry date to a key is also pretty simple:
gpg --edit-key
gpg> key 0
gpg> expire
...
Key is valid for? (0) 18m
gpg> key 1
gpg> expire
Changing expiration time for a subkey.
...
Key is valid for? (0) 12m
gpg> save
gpg --send-key
Note here I am setting the subkey (or keys, key 1 and higher) to expire in a year, and the main key to expire in 18 months.

At least now the keys I care about are protected and those I do not are put out of use.