Renew your GPG RSA keys
Warning, the following information was from Chat-GPT, it may not be correct, I will verify this in the next few days...
When your RSA subkeys expire in GnuPG, you will need to generate new subkeys and update your keyring.
Boot up Tails OS
Importing GnuPG Keys
$ cd ~ $ mv .gnupg/ .gnupg_ORIGANAL_$(date +"%Y-%m-%d-%H_%M_%S")/ # Let's see what USB drives are mounted, is My_GPG_Data shown? $ ls /media/$USER # Was it called something else? If so, use that instead of: # My_GPG_Data in the next copy command # In the next copy command be sure to include the dot at the end, # as it means to put the file in your current folder $ cp /media/$USER/My_GPG_Data/gpg-datadir.tgz . # If the above command fails to copy, just use your File Manager to copy over # gpg-datadir.tgz from the LUKS USB disk to the root of your Home folder! # Lets extract the compressed tar file (it should go into ~/.gnupg/ on its own) $ tar -xzf gpg-datadir.tgz # If it extracted okay, you will see gpg sub keys listed after this command $ gpg --list-secret-keys # next copy the output of your GPG_PWD.txt file into the clipboard for use in a moment $ cat .gnupg/my_keys/GPG_PWD.txt
Generate new subkeys
Use the GnuPG command line tool to generate new RSA subkeys with a longer expiration date. For example, if your old subkeys had an expiration date of two years, you may want to generate new subkeys with an expiration date of five years.
$ gpg --list-keys [YOUR-GPG-EMAIL]
Replace [key_ID] with the ID of the key for which you want to generate new RSA subkeys.
$ gpg --expert --edit-key [key_ID]
Add a signature-only RSA subkey.
gpg> addkey Please select what kind of key you want: (4) RSA (sign only) Your selection? 4 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Please specify how long the key should be valid. Key is valid for? (0) 5y Is this correct? (y/N) y Really create? (y/N) y
Add an encryption-only RSA subkey.
gpg> addkey Please select what kind of key you want: (6) RSA (encrypt only) Your selection? 6 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Please specify how long the key should be valid. Key is valid for? (0) 5y Is this correct? (y/N) y Really create? (y/N) y
Add an authentication-only RSA subkey.
gpg> addkey Please select what kind of key you want: (8) RSA (set your own capabilities) Your selection? 8 Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Sign Encrypt (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished Your selection? S Your selection? E Your selection? A Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Authenticate Your selection? Q RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Please specify how long the key should be valid. Key is valid for? (0) 5y Is this correct? (y/N) y Really create? (y/N) y
Save your changes and exit the key editing session.
With these steps, you should now have new RSA subkeys with longer expiration dates that you can use to encrypt, sign, or authenticate messages with GnuPG.
Be careful, when thinking about revoking...
The order in which you add new RSA subkeys and revoke old subkeys can matter. When you add a new subkey, you should make sure that it is working properly before revoking any old subkeys. Because if the new subkey does not work as expected, you may not be able to access your encrypted data or sign messages with your key.
Additionally, it is important to consider the expiration date of your old subkeys before revoking them. If you revoke an old subkey before its expiration date, any encrypted data or signed messages that were created using that subkey will no longer be accessible or verifiable. Therefore, it is recommended that you wait until the old subkey has expired before revoking it.
In summary, it is generally best practice to add a new subkey and ensure it is working properly before revoking any old subkeys, and to wait until an old subkey has expired before revoking it.
To revoke old RSA subkeys (Optional)
You can follow these general steps:
List the subkeys associated with your RSA key pair:
$ gpg --list-keys --with-subkey-fingerprint [key ID]
Identify the subkey you want to revoke based on its ID or fingerprint.
Revoke the subkey using the following command, replacing [subkey ID] with the ID of the subkey you want to revoke:
$ gpg --edit-key [key ID] revkey [subkey ID] save
Update your public key on key servers [replace pool.sks-keyservers.net, with your server used in the past, if non, skip next step]:
$ gpg --keyserver pool.sks-keyservers.net --send-keys [key ID]
Notify anyone who may have been using the revoked subkey to use the remaining valid subkeys or generate new subkeys.
Move Subkeys into the YubiKey
Insert your Yubikey now.
Here we will modify your key to move subkeys from your keyring to the YubiKey. This is a destructive one way operation, only do this on a copy of your gnupg directory as it will erase the keys from the gnupg folder keyring and create a link or stub to the YubiKey.
$ gpg --expert --edit-key [YOUR-GPG-EMAIL]
Moving your signature-only subkey to the YubiKey’s signature key slot.
gpg> help gpg> key 1 gpg> keytocard Please select where to store the key: (1) Signature key (3) Authentication key Your selection? 1 gpg> key 1
Moving your encryption-only subkey to the YubiKey’s encryption key slot.
gpg> key 2 gpg> keytocard Please select where to store the key: (2) Encryption key Your selection? 2 gpg> key 2
Moving your authentication-only subkey to the YubiKey’s authentication key slot.
gpg> key 3 gpg> keytocard Please select where to store the key: (3) Authentication key Your selection? 3 gpg> key 3
Save these changes and quit the key editing session.
gpg> save $ gpg --card-status $ gpg --list-secret-keys The output should show: ssb> The > means not on the computer, but kept on external USB device! Cool!!!
Export the renewed Public Key
Export your public key with the new subkeys using this command:
$ gpg --export -a [key ID] > my_public_key.asc
Distribute new public key: If you have shared your old public key with others, you will need to distribute your new public key to them, as well, so that they can encrypt messages to you using your new subkeys. Besure, to copy this file: my_public_key.asc -> into a USB drive, so you may use it later on with your main PC.
Boot into main Online Ubuntu Computer
Import Public GPG/RSA Keys
Update keyring: Update your keyring by importing the new public key with this command:
$ gpg --import my_public_key.asc
By following these steps, you can ensure that your GnuPG keyring is up-to-date and your RSA subkeys are valid for the desired period.