GPG: Upgrade your keys

Did your existing gpg key pair expire or do you need to upgrade to a higher number of bits?. Just follow the short steps listed below.

Let's start with generating a new key pair:
$ gpg --gen-key

Select the following options

  • RSA and RSA (default)
  • key length: 4096
  • Expiry: 0 (key does not expire)
  • enter your name
  • enter your e-mail address
  • enter a passphrase

Sign your new key using your old key
$ gpg --default-key <old id> --sign-key <new id>
(use gpg --list-keys to see the ids of the keys in your key chain)

Send the newly created public key to a public key-server
$ gpg --keyserver pgp.mit.edu --send-key <new id>

Save revocation certificate and public/private keys into a single file named "print" for printing and storing somewhere save:
$ gpg --armor --gen-revoke <new id> > print
$ gpg --armor --export <new id> >> print

$ gpg --armor --export-secret-key <new id> >> print

Generate a recovation certificate for your old key and revoke it in your key chain and on the server
$ gpg --armor --output revoke.asc --gen-revoke <old id>
$ gpg --import revoke.as
$ gpg --keyserver pgp.mit.edu --send-key <old id>

Tags: