1

What is the common practice when a subkey reaches its expiration date?

  1. Generate a new subkey
    • Pros
      • Increases security if the subkey has been stolen (without noticing) since Malory cannot use the old one anymore for future attacks
    • Cons
      • I cannot decrypt my documents or authenticate on my servers
  2. Extend the expiration date of the existing subkey
    • Pros and cons: the exact opposite of the first solution

Note that my subkeys are stored on multiple external storages for backup and modification purposes and well hidden, and on a smartcard (Yubikey) to use on a daily basis. That is, even if my smartcard is physically stolen, the thief shouldn't be able to extract the private part of the subkey, making the pro of the first solution not that relevant.

Please complete the pros and cons if there are some missing.

ISMSDEV
  • 3,270
  • 13
  • 22
Morgan Courbet
  • 270
  • 2
  • 11
  • 1
    I'm voting to close this as primarily opinion-based, pro-and-cons-discussions do not really fit the Q&A format. Anyway: even if your old encryption key expires, you will still be able to use it for decryption. – Jens Erat Jun 22 '17 at 15:11
  • Well, in my case, I can store three subkeys on my smartcard: one of each type (decryption, signing, authentication). So I would need to replace one key, but I use all of them. – Morgan Courbet Jun 22 '17 at 15:50
  • Then get another card to use for your legacy key(s) -- or the new subkeys, if you do not have a backup of the private keys. – Jens Erat Jun 24 '17 at 07:04

0 Answers0