6

I've been using GnuPG with an offline master + online subkey setup for a while now. All my email is signed with the signing-only subkey and encryption is done with the encryption-only subkey. The subkeys are 4096 bits. This setup works well, but I wanted to improve security so I got a Yubikey Neo.

Because the Yubikey only supports 2048 bit keys, I generated another pair of subkeys on a secure machine and uploaded them to the Yubikey. Now I have two pairs of encryption and signing subkeys on my keyring. GnuPG will use the newest suitable subkeys automatically, so my earlier set of subkeys is basically redundant.

I keep all the subkeys on my main offline keychain, but I don't want them cluttering up the keychain on my primary portable devices (laptop, etc). My plan is to also rekey the Yubikey often (at least once a year) so I'll have to deal with a growing list of superseded subkeys.

If someone sends data encrypted to one of my old subkeys, I'll have to dig out the offline keyring in order to decrypt it. This is quite a pain and I'd rather avoid doing so.

What's the best strategy for discontinuing use of old but still uncompromised subkeys? Revoke them? Set a short expiration date and wait for them to expire?

Pavel
  • 63
  • 3
  • 1
    May I ask why you plan to rekey the yubikey that often? The probability that someone copied your gpg key is very low, given that you still posses the yubikey. – Josef Jul 29 '15 at 18:58

1 Answers1

4

Exchanging Keys on a Regular Base

If you intend to switch subkeys on a regular base (for example yearly, as you proposed), setting an expiration date seems a reasonable thing to do. Unlike expiration, other OpenPGP users will realize an outdated subkey anyway (which will trigger them updating your key, to look for new subkeys). Creating new subkeys in advance might help distributing it, key servers need some time to spread updates (between seconds and a bunch of minutes).

Consider setting up a reminder in your calendar, I often experience people to forget about creating new subkeys. When using smart cards like the Yubikey, remember you cannot download keys created on the device, so consider creating them locally and uploading them instead.

Revoking old Subkeys

Revocation does not necessarily imply your keys are compromised. There's a flag to indicate your (sub)keys are simply superseded and shouldn't be used any more. Revoking a key instead of just forgetting about it will also prevent possible attackers from using leaked keys after a time (this will probably be the reason you want to exchange keys every now and then, so also revoke the old ones!).

Remember revoking subkeys is nothing complicated and does not have any negative impact on certifications you received or issued.

Deleting old Subkeys

I don't see a reason not to store revoked and/or expired encryption subkeys on your "daily-use-computer" any more. You will not be able to read old encrypted messages any more if you do so! Removing the old (private) signing subkeys is not a problem, as only the public key is needed for verification, you will not use the private key any more anyway.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
  • Thank you for the through reply! In terms of generating subkeys in advance, does gpg allow for any type of "not-valid-before" flag (reverse expiration) like SSL certs? That would make key management much easier. – Pavel May 31 '15 at 08:01
  • I'm not aware about something like this, neither does RFC 4880 indicate such a feature. You might be able to "fake" such a reverse expiration by setting a future system time during key creation, but could imagine problems with different OpenPGP clients doing so and wouldn't recommend it. If you want to give it a try anyway, GnuPG has a `--faked-system-time` option, or have a look at the `faketime` utility. – Jens Erat May 31 '15 at 08:08