Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Question : If i extend my PGP key Pair Expiration date?

Created: 31 Oct 2012 | 8 comments

If I extend my PGP key Pair Expiration date using (pgp --set-expiration-date) , will the key work with the existing public key?

I assume it does, but I am checking for sure.

Thanks,Peter

Comments 8 CommentsJump to latest comment

Tom Mc's picture

If you change your key's expiration date, your key will now expire on whatever date you have set (unless you change it again).  If someone else has a copy of your public key with the old expiration date, they must update your public key (such as synching it with a key server that has an updated copy) to be able to encrypt to your public key after the  previous expiration date.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Mohammad Ashkaibi's picture

Interesting. But how to change this as well for keys stored on USB tokens?

Thanks!

Tom Mc's picture

I would try it from the PGP Desktop All Keys window.  Of course, it would be necessary to have the token inserted.  I'm not a command line user of PGP, so can't help with this.

When you consider your issue resolved, please click Mark As Solution on the most helpful response.

Search the Knowledge Base &

Mylapore's picture

HI Tom

I have a subkey that is set to expire within the next 30days.  Instead of trying to move the expiration, if I create a new subkey - is that better?  Is there a preference?  Would have to send the client the public key again either way (new subkey or extend expiration of current subkey ).  Also - is it possible to just export the public key for the subkey? or is it a combination of the pair including the subkey?

Thanks

Mylapore's picture

HI Tom

I have a subkey that is set to expire within the next 30days.  Instead of trying to move the expiration, if I create a new subkey - is that better?  Is there a preference?  Would have to send the client the public key again either way (new subkey or extend expiration of current subkey ).  Also - is it possible to just export the public key for the subkey? or is it a combination of the pair including the subkey?

Also just to re-iterate, if I extend the expiration of the key, the existing decryption for the clients should continue to work until the expiration date. right? They need to update the new public key before the expiration day.  Say it is expiring Jan 20 2013. I change the subkey expiration to Jan 20 2014. the existing public key for the client should continue to work until Jan 20 2013. is that right? They should update the new key by Jan 20 2013. Else it will fail on Jan 21 2013.

Thanks

dfinkelstein's picture

An encryption subkey can always be used to decrypt data, even if it is expired.  So you can create a new encryption subkey, and give your (updated) public key out, and people will encrypt data to your new encryption subkey, but you can continue to decrypt old, existing data with your expired subkey.  You will have to send out an updated version of your key even if you choose to update the expiration time, since otherwise your partners will have the "old" version that shows a soon-to-expire subkey, and they will not be able to encrypt to it (once the expiration date comes).

You do not export just the public portion of the subkey.  You export your entire public key, and that will include the public portions of your subkeys.

Have I answered your question?

Regards,

--------

David Finkelstein

Symantec R&D

Mylapore's picture

Wonderful. Yes you answered everything so well. Thanks so much! Happy Holidays & Have a wonderful New Years :-)

Thanks again

Mylapore's picture

Related question...

I tried to extend the expiration of my subkey

pgp --set-expiration-date --expiration-date 2015-01-10 0x939E72AF --passphrase PASSWORD

- I know that 0x939E72AF is the SUBKEY ID. But I get this message back

0x939E72AF:set expire date (2002:key to edit not found)

I do see the subkey in the fingerprint. I dont want to Change the expiration for the Key. Just this one SUBKEY needs to be extended . Can you please let me know what I am missing here?

Many Thanks