Subkeys renewing/expiring strategy

Bernhard Reiter bernhard at intevation.de
Tue Oct 25 09:39:04 CEST 2022


Am Donnerstag 13 Oktober 2022 15:42:04 schrieb Teemu Likonen:
> * 2022-10-11 17:23:49+0200, nect via Gnupg-users wrote:
> > Since I was struggling to choose a strategy for expiring/renewing my
> > subkeys [...]
>
> We should ask why do you want to expire (and rotate) your subkeys?

For encryption subkeys, rotating them adds a layer of protection.
If this is worth the effort, you have to answer from your own perspective.

To give a scenario or two:
If an attacker gets access to a lot of old communication from you,
they might be able to brute force an encryption key in the future.
Or I maybe forced to give out an encryption key.

Personally I have used a primary key with 10 years expiration and
encryption subkeys with 2 years. It would only be a fifth of the communication
that would be revealed. Also I could use stronger algorithms over
the ten years, so it is not just a factor of five to crack, but much more.

The effort was doable, but then again, I'm a regular crypto user
and can use the exercise. ;)

Regards
Bernhard

-- 
https://intevation.de/~bernhard   +49 541 33 508 3-3
Intevation GmbH, Osnabrück, DE; Amtsgericht Osnabrück, HRB 18998
Geschäftsführer Frank Koormann, Bernhard Reiter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20221025/f0534f90/attachment.sig>


More information about the Gnupg-users mailing list