diff options
Diffstat (limited to 'src/content/post/extending-gpg-subkey-expiration-yubikey.md')
| -rw-r--r-- | src/content/post/extending-gpg-subkey-expiration-yubikey.md | 99 |
1 files changed, 99 insertions, 0 deletions
diff --git a/src/content/post/extending-gpg-subkey-expiration-yubikey.md b/src/content/post/extending-gpg-subkey-expiration-yubikey.md new file mode 100644 index 0000000..59790bc --- /dev/null +++ b/src/content/post/extending-gpg-subkey-expiration-yubikey.md @@ -0,0 +1,99 @@ +--- +title: "Extending GPG Subkey Expiration on YubiKey" +description: "How to extend the expiration date of GPG subkeys stored on a YubiKey" +publishDate: "30 January 2026" +tags: [security, gpg, yubikey, "en"] +author: "Dawid" +language: "en" +--- + +# Extending GPG Subkey Expiration on YubiKey + +I'm always forgetting how to do that, so I'll write one another step by step guide how to extend +expiration of subkeys in yubikey. + +## First you need + +Master key available locally (not on YubiKey - get it from back-up that you have, don't you?) + +## Steps + +### 1. Verify your keys + +Plug in the YubiKey and check the current state: + +```bash +gpg --card-status +``` + +You should see: +- `sec` — master key (local) +- `ssb>` — subkeys on YubiKey (the `>` indicates the key is on a smartcard) + +The full fingerprints are listed under: +- **Signature key** — signing subkey +- **Encryption key** — encryption subkey +- **Authentication key** — authentication subkey + +### 2. Get master key fingerprint + +```bash +gpg -K --with-subkey-fingerprints +``` + +Copy the full fingerprint of the master key. + +### 3. Extend subkey expiration + +Extend all three subkeys at once: + +```bash +gpg --quick-set-expire <MASTER_FULL_FP> 1y <SIGN_FULL_FP> <ENC_FULL_FP> <AUTH_FULL_FP> +``` + +Or extend all subkeys (including old/dead ones) with a wildcard: + +```bash +gpg --quick-set-expire <MASTER_FULL_FP> 1y '*' +``` + +### 4. Verify the new expiration + +```bash +gpg --card-status +``` + +Confirm the `ssb>` subkeys show the updated expiry date. + +### 5. Export updated public key + +```bash +gpg --export --armor <MASTER_KEY_ID> > pubkey.asc +``` + +The subkey expiration dates are stored in the public key metadata. +Even though the key material hasn't changed, the updated expiry needs to be distributed. + +Remember to upload it to your: + +- git servers +- keyservers (`gpg --send-keys <MASTER_KEY_ID>`) +- any other service that verifies signatures + +The expiry metadata changed, so update your offline backup of the public key. + +## Additionally + +- **`pass`** requires no changes — it uses the same encryption subkey, just with a new expiry. +- **Git signing** requires no local config changes — `git` uses the same key ID. +- Only the public key export/upload is needed to keep external services working. + +## Useful links + +- [Change PGP Key Expiration Date — jms1](https://yubikey.jms1.info/maint/pgp-expiration.html) +- [Changing the expiration date of your YubiKey — shibumi.dev](https://shibumi.dev/posts/changing-the-expiration-date-of-your-yubikey/) +- [Extending an expired GPG key — WhyNotHugo](https://whynothugo.nl/journal/2023/07/13/extending-an-expired-gpg-key/) +- [PGP on YubiKey / refresh expiry — OSSO](https://www.osso.nl/blog/2020/pgp-on-yubikey-refresh-expiry/) +- [Renewing subkeys — drduh/YubiKey-Guide #101](https://github.com/drduh/YubiKey-Guide/issues/101) +- [yubikey-gpg-expiry-extender — automation scripts](https://github.com/ahuemmer/yubikey-gpg-expiry-extender) +- [Renew Expired GPG key — GitHub Gist](https://gist.github.com/krisleech/760213ed287ea9da85521c7c9aac1df0) |