Video Screencast Help

Need to understand more about key expiration date

Created: 06 May 2011 | 1 comment

I use PGP Command Line to communicate with our bank.  The bank requires keys to have a two year expiration and I'm coming up on renewal.

Not sure what the best way to procede is.  I can create a new set of keys and exchange them with the bank, but this is going to require a change window when the keys are replaced at both ends.  Moreover, it's going to complicate things if I have to go back and decrypt archive copies of stuff I've encrypted with the old key.

I notice that there are options to set/remove expiration dates on keys (--remove-expiration-date and --set-expiration-date).

My questions are:

1.  Can I run these commands against existing keys or are these only available when I'm creating a key pair.

2.  What, if anything, bad happens between the time I change the expiration date at my end and the point at which the bank applies the updated key with the new expiration date at their end.  Stated another way, will bad things happen if my copy and their copy of the key have different expiration dates?

Thanks in advance,

Bob Troxel

Comments 1 CommentJump to latest comment

dfinkelstein's picture

Yes you can use these commands to update the expiration time of an existing key.  The bank can continue to use your "older" key until they install your updated one and neither of you will have any issues.  However if your key does expire then they will not be able to use it until they replace it with the newer version.


David Finkelstein

Symantec R&D