Proper procedure for updating an expired GPG key

AGWA / git-crypt

Transparent file encryption in git

https://www.agwa.name/projects/git-crypt/

GNU General Public License v3.0

8.11k stars 472 forks source link

Proper procedure for updating an expired GPG key #221

Open theoryshaw opened 3 years ago

theoryshaw commented 3 years ago

Does anyone know the proper procedure for updating an expired GPG key?

We use the following steps, and seemed to work, but wondering if this is the best approach...

delete the old key in /.git-crypt/keys/default/0/ folder
add the user again. The new key should have the same email address as the old key

Hypothetical speaking, however, what happens if a repo only has one person with a GPG key, and that expires. Is there anyway, after that, for that person to update their key? Or will they be locked out of the repo, at that point, going forward?

yorikvanhavre commented 3 years ago

It might be wise to save the symmetric key of such repos somewhere as a backup maybe..

alerque commented 3 years ago

You should be able to renew your GPG key normally and keep using git-crypt with no changes. The keys themselves don't change on renewal, only the marked validity date range.

If you are invalidating or otherwise dropping a key and adding a new one then of course you'll need to adjust access in your repos by adding a new key then dropping the old one (probably in that order, not the reverse you suggested above) but that is not the normal way to handle GPG key renewal. That would only apply if your private key was lost or compromised.