Why should I have my GPG key expire?

Question

When creating a key pair using gpg it asks me for an expiration date:

$ gpg --gen-key

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years

Why is this needed and what are the advantages of having an expiration date?

score 3 · Answer 1 · answered Feb 17 '15 at 14:11

3

If your private key ever leaked then at least the damage would be time limited.

https://www.gnupg.org/gph/en/manual/c481.html

answered Feb 17 '15 at 14:11

RLinds

39
1

11

No, this is **plain wrong**. See my answer to http://security.stackexchange.com/questions/14718/does-gpg-key-expiration-add-to-security/79386#79386 (where the top-voted answer is plain wrong, again). – Jens Erat Feb 17 '15 at 15:24
@JensErat Sure you could extend the expiry but that's open to detection, especially when there's an alternative replacement with new keys (assuming you generate new keys) knocking about. In addition if you do change the keys on expiry then the old keys are useless for eavesdropping, only good for impersonation. – RLinds Feb 17 '15 at 20:20
1

Why trust in somebody to realize a changed expiration date (nobody will), when you could simply revoke your key instead (people will realize, as their client software tells them)? Switching subkeys is a completely unrelated matter. – Jens Erat Feb 17 '15 at 22:14

Why should I have my GPG key expire?

1 Answers1