Yubico Forum

I did create a master key + 3 subkeys for signing, decrypting, authenticate.
The master key has unlimited validity and is well preserved offline.
The 3 subkeys have a limited expiry date.

On my laptops configured for use with Yubikey it looks like this:

(Remark: "verfällt" translates to "expires".)
The secrete keys are only stubs which do not show the expiration dates.

My question now:
How do I manage to extend the validity of my subkeys on the Yubikey?
On the offline machine it is quite easy, because all keys are available and the master key has already unlimited lifetime. For obvious reasons I do not want to create a new set of subkeys and transfer them to the Yubikey overwriting the current ones.

Regards,
x11

X11,

you will need to go back to the offline machine with all the keys present and change the expire dates, than copy over the subkeys once again to the YubiKey. I've linked to good source for changing the expire dates on the keys.

http://www.g-loaded.eu/2010/11/01/chang ... e-gpg-key/

mattlegitt,

thanks for your quick reply, which will cause quite a lot of actions to extend the lifetime of the subkeys including transfer to the Yubikey.
I was hoping that the "expiry information" is only contained in the public key which is distributed i.e via key servers and that the secret subkeys on the Yubikey remain unchanged.

I have now searched for additional information on how the whole expiry thins work and found this blog:
https://blog.josefsson.org/2014/08/26/t ... /#more-782
The last 2 replies to that post might indicate that my asumption probably works.
It states

This would mean that I only have to extend the expiry date of the subkeys on the offline-machine and after that just distribute the updated public key (with other words: I do not have to do anything with my Yubikey).

Is that correct - or do I miss anything?

Regards,
x11

So, I now tested the whole procedure with a dummy key in a VM. What I have seen so far is:

1. to update expiry date of subkeys requires the master-key.
2. I could not test what happens if I only have the master-key without the subkeys present, because I was not able to delete only the subkeys.
3. expiry of subkeys can be atlered induvidially for each subkey (master-key present).
4. comparing the exported subkeys (gpg --export-secrete-subkeys) before and after the change shows same filesize, but differences in content (binary compare).

Taking the result from 4) indikates that the subkeys on the Yubikey most probably have to be updated (despite the cryptographic information remains the same and only "meta-data" are changed). Which data/part of the subkeys finally is stored in the Yubikey and what remains/sits in the stubs I do not know. That probably is handled by the pgp-applet within the Yubikey.

This arises another question:
Can that update process be performed directly with the Yubikey (with the 3 subkeys) attached to the laptop if just for that action I temporarly import the master-key on it?

Or do I really have perform the change on the offline PC with the complete key and afterwards transfer the subkeys one by one th the Yubikey (gpg> keytocard)?

Regards,
x11