blob: 59790bc94f0b636c1f3acc09c76c38c0d06e6e10 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
|
---
title: "Extending GPG Subkey Expiration on YubiKey"
description: "How to extend the expiration date of GPG subkeys stored on a YubiKey"
publishDate: "30 January 2026"
tags: [security, gpg, yubikey, "en"]
author: "Dawid"
language: "en"
---
# Extending GPG Subkey Expiration on YubiKey
I'm always forgetting how to do that, so I'll write one another step by step guide how to extend
expiration of subkeys in yubikey.
## First you need
Master key available locally (not on YubiKey - get it from back-up that you have, don't you?)
## Steps
### 1. Verify your keys
Plug in the YubiKey and check the current state:
```bash
gpg --card-status
```
You should see:
- `sec` — master key (local)
- `ssb>` — subkeys on YubiKey (the `>` indicates the key is on a smartcard)
The full fingerprints are listed under:
- **Signature key** — signing subkey
- **Encryption key** — encryption subkey
- **Authentication key** — authentication subkey
### 2. Get master key fingerprint
```bash
gpg -K --with-subkey-fingerprints
```
Copy the full fingerprint of the master key.
### 3. Extend subkey expiration
Extend all three subkeys at once:
```bash
gpg --quick-set-expire <MASTER_FULL_FP> 1y <SIGN_FULL_FP> <ENC_FULL_FP> <AUTH_FULL_FP>
```
Or extend all subkeys (including old/dead ones) with a wildcard:
```bash
gpg --quick-set-expire <MASTER_FULL_FP> 1y '*'
```
### 4. Verify the new expiration
```bash
gpg --card-status
```
Confirm the `ssb>` subkeys show the updated expiry date.
### 5. Export updated public key
```bash
gpg --export --armor <MASTER_KEY_ID> > pubkey.asc
```
The subkey expiration dates are stored in the public key metadata.
Even though the key material hasn't changed, the updated expiry needs to be distributed.
Remember to upload it to your:
- git servers
- keyservers (`gpg --send-keys <MASTER_KEY_ID>`)
- any other service that verifies signatures
The expiry metadata changed, so update your offline backup of the public key.
## Additionally
- **`pass`** requires no changes — it uses the same encryption subkey, just with a new expiry.
- **Git signing** requires no local config changes — `git` uses the same key ID.
- Only the public key export/upload is needed to keep external services working.
## Useful links
- [Change PGP Key Expiration Date — jms1](https://yubikey.jms1.info/maint/pgp-expiration.html)
- [Changing the expiration date of your YubiKey — shibumi.dev](https://shibumi.dev/posts/changing-the-expiration-date-of-your-yubikey/)
- [Extending an expired GPG key — WhyNotHugo](https://whynothugo.nl/journal/2023/07/13/extending-an-expired-gpg-key/)
- [PGP on YubiKey / refresh expiry — OSSO](https://www.osso.nl/blog/2020/pgp-on-yubikey-refresh-expiry/)
- [Renewing subkeys — drduh/YubiKey-Guide #101](https://github.com/drduh/YubiKey-Guide/issues/101)
- [yubikey-gpg-expiry-extender — automation scripts](https://github.com/ahuemmer/yubikey-gpg-expiry-extender)
- [Renew Expired GPG key — GitHub Gist](https://gist.github.com/krisleech/760213ed287ea9da85521c7c9aac1df0)
|
