Quick tutorial on setting up PGP keys to allow you to expire and rotate PGP Keys without driving you crazy. In this scenario, we will be using PGP for:
- Email encryption / decryption / signing; and
- PGP Disk for data storage;
First challenge, Generate a new PGP Key. Read the simple explanation of PGP's features and suggestions if you are unsure about how to proceed:
PGP for Everyday Use.
The questions that need answering are:
- The key type you use is up to you, I use RSA keys.
- Pick an appropriate Key Length; I use 2048 Bit
- Set the expiration date to Never.
- Set a STRONG passphrase. See this page which has a good paragraph on "Passphrase preparation" for more info.
Once your key is generated, we will need to remove the default (non expiring) encryption subkey, and generate a new subkey that does expire (thus allowing you to expire and renew the old one). To do this, follow these steps:
- Right click on your new key in PGP Keys, and select properties.
- Click on the subkeys tab.
- Select the listed subkey, and click Remove.
- Click New.
- Set the Key Size (we used 2048 bit previously)
- Set the start date as today's date.
- Set the expiration date (I use 1 year)
- Click OK.
Now you can export your public key to the key server. When your encryption key expires, you can create a new subkey and just update the key on the keyserver. This gives you the ability to have a single key for signing, and rotate the encryption keys annually. When your encryption key expires, people will simply have to update your key from the keyserver.
This saves having to go through repeated key fingerprint verification whenever your key expires which is annoying, especially if you use PGP heavily with many other people.
Enjoy...
