1 files changed, 99 insertions, 0 deletions

diff --git a/src/content/post/extending-gpg-subkey-expiration-yubikey.md b/src/content/post/extending-gpg-subkey-expiration-yubikey.md
new file mode 100644
index 0000000..59790bc
--- /dev/null
+++ b/src/content/post/extending-gpg-subkey-expiration-yubikey.md
@@ -0,0 +1,99 @@
+---
+title: "Extending GPG Subkey Expiration on YubiKey"
+description: "How to extend the expiration date of GPG subkeys stored on a YubiKey"
+publishDate: "30 January 2026"
+tags: [security, gpg, yubikey, "en"]
+author: "Dawid"
+language: "en"
+---
+
+# Extending GPG Subkey Expiration on YubiKey
+
+I'm always forgetting how to do that, so I'll write one another step by step guide how to extend
+expiration of subkeys in yubikey.
+
+## First you need
+
+Master key available locally (not on YubiKey - get it from back-up that you have, don't you?)
+
+## Steps
+
+### 1. Verify your keys
+
+Plug in the YubiKey and check the current state:
+
+```bash
+gpg --card-status
+```
+
+You should see:
+- `sec` — master key (local)
+- `ssb>` — subkeys on YubiKey (the `>` indicates the key is on a smartcard)
+
+The full fingerprints are listed under:
+- **Signature key** — signing subkey
+- **Encryption key** — encryption subkey
+- **Authentication key** — authentication subkey
+
+### 2. Get master key fingerprint
+
+```bash
+gpg -K --with-subkey-fingerprints
+```
+
+Copy the full fingerprint of the master key.
+
+### 3. Extend subkey expiration
+
+Extend all three subkeys at once:
+
+```bash
+gpg --quick-set-expire <MASTER_FULL_FP> 1y <SIGN_FULL_FP> <ENC_FULL_FP> <AUTH_FULL_FP>
+```
+
+Or extend all subkeys (including old/dead ones) with a wildcard:
+
+```bash
+gpg --quick-set-expire <MASTER_FULL_FP> 1y '*'
+```
+
+### 4. Verify the new expiration
+
+```bash
+gpg --card-status
+```
+
+Confirm the `ssb>` subkeys show the updated expiry date.
+
+### 5. Export updated public key
+
+```bash
+gpg --export --armor <MASTER_KEY_ID> > pubkey.asc
+```
+
+The subkey expiration dates are stored in the public key metadata.
+Even though the key material hasn't changed, the updated expiry needs to be distributed.
+
+Remember to upload it to your:
+
+- git servers
+- keyservers (`gpg --send-keys <MASTER_KEY_ID>`)
+- any other service that verifies signatures
+
+The expiry metadata changed, so update your offline backup of the public key.
+
+## Additionally
+
+- **`pass`** requires no changes — it uses the same encryption subkey, just with a new expiry.
+- **Git signing** requires no local config changes — `git` uses the same key ID.
+- Only the public key export/upload is needed to keep external services working.
+
+## Useful links
+
+- [Change PGP Key Expiration Date — jms1](https://yubikey.jms1.info/maint/pgp-expiration.html)
+- [Changing the expiration date of your YubiKey — shibumi.dev](https://shibumi.dev/posts/changing-the-expiration-date-of-your-yubikey/)
+- [Extending an expired GPG key — WhyNotHugo](https://whynothugo.nl/journal/2023/07/13/extending-an-expired-gpg-key/)
+- [PGP on YubiKey / refresh expiry — OSSO](https://www.osso.nl/blog/2020/pgp-on-yubikey-refresh-expiry/)
+- [Renewing subkeys — drduh/YubiKey-Guide #101](https://github.com/drduh/YubiKey-Guide/issues/101)
+- [yubikey-gpg-expiry-extender — automation scripts](https://github.com/ahuemmer/yubikey-gpg-expiry-extender)
+- [Renew Expired GPG key — GitHub Gist](https://gist.github.com/krisleech/760213ed287ea9da85521c7c9aac1df0)