Every year or two, my GnuPG keys expire on KeyBase and in various key servers. Every time, I forget the process, and have to re-learn it. This post serves as a reminder to myself, or anyone else trying to do the same thing. It’s trivially easy, and there are GUI applications which can do it for you, but I went with this solution, since everyone should be able to do it.
To run GnuPG, you need to install it first. I was on a Microsoft Windows 10 system, so I just used Ubuntu as part of the WSL. It has mostly replaced my need for virtual machines on my personal desktop, and it integrates well into Windows 10. If your Ubuntu WSL system does not come with GnuPG already installed, you can install it by running:
sudo apt install gnupg
On to the keys
Importing the Public Key
First, I downloaded the public key. This is the command given when you click on anyone’s public key on KeyBase.
curl https://keybase.io/<your_username>/pgp_keys.asc | gpg --import
Importing the Private Key
I didn’t have my private key on this system, so I downloaded it straight from KeyBase. If you’re logged in, and view your own profile, you should have an “edit” button with an option to export your private key. (You’ll likely be prompted for your KeyBase password to perform this action)
gpg --import <downloaded_file>.key
Once you start this import, it’s going to ask you for the password to the key. This one took me a while, because I thought it would be the same password that I originally used to import it years ago. However, this key is encrypted with your KeyBase password! Copy your KeyBase password from your password vault, and paste it into the GnuPG dialog.
Before continuing, make sure that both your keys were imported properly. You should be able to see them if you run:
gpg --list-keys gpg --list-secret-keys
Editing the Keys
To begin editing these keys’ expiration dates, enter the edit mode of GnuPG, passing it your key’s fingerprint value:
gpg --edit-key <your_key_fingerprint>
From here, you can list any potential subkeys that you may have. I have subkeys for each of my email addresses, so that I can use this same GnuPG identity with any of the email addresses. Yours may not have as many listed.
First, let’s change the expiration on the private key by entering the “expire” command:
Then it will prompt you to change the expiration date. I specified 2 years this time, but you can choose anything you want, even a key that does not expire, although that has it’s own issues.
GnuPG will return to list you the keys, where you can see that your private key is now showing an updated expiration date.
However the public key is still with the old date. The process is exactly the same as the private key, except we just need to select the public key first. Select it by using the following command:
gpg> key 1
Note that if you need to make additional changes to your secret key, you can select it again with:
gpg> key 0
Once again, enter the “expire” command and set an expiration date:
Lastly, remember to persist these changes to disk with the “save” command:
Additionally, you can export the new public key to a file:
After updating your keys, you will want to distribute your new public key. I always send mine to the MIT keyserver, as it’s commonly searched. You can do it directly through GnuPG:
gpg --keyserver pgp.mit.edu --send-keys <your_key_fingerprint>
Shortly after, you can view it on the MIT Keyserver site. It should have your new expiration date listed.
If you used KeyBase to start with, you’d ideally want to upload it to them as well. Login to KeyBase, and go to your profile. There should be an “edit” link with an option to “Update my key (I edited it elsewhere)”. Click this link.
This will allow you to enter your public key. Open the file that you exported earlier, and copy the contents out of it, and put into this text box. Once done, click “Submit”.
There you have it. It’s really a simple process, but one that I’ve had to research every time my key comes close to expiring. Hopefully it can save you a half hour of research as well.
Additionally, instead of having to generate a new key, you’ve updated your existing one. This means that if someone uses your old public key, you should still be able to decrypt a message. Additionally, if you used KeyBase, you don’t have to redo all your verifications. It can be quite tedious, and also draws suspicions since it alerts all your friends that you revoked your old key.