Re: Secret key Questions regarding expiration and backing up
On Fri 2016-10-14 19:16:45 -0400, Andrew Gallagher wrote: > my understanding is that a copy of some public key information (such > as expiry dates) is kept in the corresponding secret key store, and > this will be updated when the public key is edited. This is exactly correct. see: https://tools.ietf.org/html/rfc4880#section-5.5.3 The Secret-Key and Secret-Subkey packets contain all the data of the Public-Key and Public-Subkey packets, with additional algorithm- specific secret-key data appended, usually in encrypted form. Regards, --dkg signature.asc Description: PGP signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Secret key Questions regarding expiration and backing up
On 14 Oct 2016, at 23:49, g...@noffin.com wrote: > So for clarification then: > > If there are no expiry dates on secret keys, what does this output mean then? > > #gpg --list-secret-keys > > > sec 2048R/ 2014-10-30 [expires: 2017-10-31] > The expiry date shown here is just a copy of the one on the public key. It is checked by gnupg to prevent it making signatures with a secret key that has an expired public key (and which are therefore unverifiable by others). I suppose you could think of this as being the expiry of the secret key, but it is always the same as that of the public key and the one on the public key is the important one. > And my next question is then... When I exported my secret key and moved it > to another machine - why did the contents of the export to file change > between the extension of the expiration date? (I exported before and after > to test). I'll defer to someone more expert than me on the internals, but my understanding is that a copy of some public key information (such as expiry dates) is kept in the corresponding secret key store, and this will be updated when the public key is edited. Andrew. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Secret key Questions regarding expiration and backing up
> On 14 Oct 2016, at 19:11, g...@noffin.com wrote: >> >> Hi there - pretty new with GPG, but have been getting going with it >> without much issue. I'm just curious about a few best practices and so >> on. >> >> 1) Should you set an expiration on your secret key? Or do most people >> just >> secure it appropriately (with no expiration)? > > Secret keys don't have expiration dates, only public keys. Best practice > is to set an expiration date of a year or two in the future on the primary > key, and either the same or shorter on your subkeys (I use the same expiry > myself, for simplicity). > > The reason for this is that you may lose your secret material or forget > your password, and you don't want stale keys hanging around on the > internet forever with no indication that they are no longer usable. > >> 2) If you do have the secret key expire, and I have a backup of it (file >> format) - And for some reason I forget to extend it before expiration - >> can I still extend it? > > Yes. Just edit the public key and republish. The expiration date only > informs other people that their software should stop using the key - it > doesn't prevent you from doing anything. > > Andrew > > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users > So for clarification then: If there are no expiry dates on secret keys, what does this output mean then? #gpg --list-secret-keys sec 2048R/ 2014-10-30 [expires: 2017-10-31] And my next question is then... When I exported my secret key and moved it to another machine - why did the contents of the export to file change between the extension of the expiration date? (I exported before and after to test). Thanks in advance! ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Secret key Questions regarding expiration and backing up
On 14 Oct 2016, at 19:11, g...@noffin.com wrote: > > Hi there - pretty new with GPG, but have been getting going with it > without much issue. I'm just curious about a few best practices and so on. > > 1) Should you set an expiration on your secret key? Or do most people just > secure it appropriately (with no expiration)? Secret keys don't have expiration dates, only public keys. Best practice is to set an expiration date of a year or two in the future on the primary key, and either the same or shorter on your subkeys (I use the same expiry myself, for simplicity). The reason for this is that you may lose your secret material or forget your password, and you don't want stale keys hanging around on the internet forever with no indication that they are no longer usable. > 2) If you do have the secret key expire, and I have a backup of it (file > format) - And for some reason I forget to extend it before expiration - > can I still extend it? Yes. Just edit the public key and republish. The expiration date only informs other people that their software should stop using the key - it doesn't prevent you from doing anything. Andrew ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users