I’m making this post to alert people of the danger of having a Valid Until/Expiry Date on their Secret Keys. ALLOWING THE SECRET KEY TO EXPIRE WILL LOCK THEM OUT OF THEIR ACCOUNTS USING 2FA ON MARKETS AND FORUMS.
I’m not going to get into any discussions about using forever keys vs using expiring keys. Those advanced users who need expiring keys, such as vendors on The Majestic Garden, will already know they need such keys and the reasons why they’re needed, and are aware of how to manage expiring keys.
A LOT of users, buyers and vendors, have made keys with a Valid Until/Expiry Date of two years from the original date of the keys (the Kleopatra default). Many, if not most, of these users are unaware their keys will expire and lock them out of their 2FA accounts on DNM’s and forums (like Dread). I’m seeing more and more posts of people locked out because of expired keys, and have been wondering how to tackle the issue. They must update the Expiry Date before the key expires to be able to continue using 2FA.
WARNING – Anyone who wants to change the Expiry Date on their Secret Key must first disable 2FA and remove their current Public Key from every site enabled with their current key. Failure to do so will lock them out of their accounts. The new key Expiry Date creates a new Secret and Public Key Pair that must be used to re-enable 2FA everywhere it’s currently in place. – WARNING
I’ve written a guide for new people to use Kleopatra, and the guide includes making keys of 4096 length with no Valid Until/Expiry Date (aka Forever Keys), and also explains how to change the Expiry Date before the key expires (You can see a work-in-progress of the procedures.)
HOW TO CHANGE THE EXPIRY DATE ON A SECRET KEY
First, you can tell if your key has an Expiry Date by looking at the key in Kleopatra. If it includes a Valid Until date, it will expire on that date.
WARNING – Anyone who wants to change the Expiry Date on their Secret Key must first disable 2FA and remove their current Public Key from every site enabled with their current key. Failure to do so will lock them out of their accounts. The new key Expiry Date creates a new Secret and Public Key Pair that must be used to re-enable 2FA everywhere it’s currently in place. – WARNING
Step 1 – Remove your current Public Key from all places using it for 2FA, including markets, forums, etc. FAILURE TO REMOVE YOUR CURRENT PUBLIC KEY FROM 2FA WILL LOCK YOU OUT OF YOUR ACCOUNTS. You must also remove the key completely from the sites, leaving no Public Key enabled.
Step 2 – Find your Secret Key in Kleopatra, right click on the key, then click Change Expiry Date…
Step 3 – In the Change Expiry – Kleopatra popup, change the date to Never if you want a “forever” key that never expires. Advanced users already know about their expiring keys and must manage those keys themselves.
Step 4 – Click OK
Step 5 – Delete your old Public Key anywhere you have it saved. It is now useless.
Step 6 – Back up your revised Secret Key. This includes exporting your Secret Key and replacing all copies everywhere you’ve saved it.
Step 7 – Export your new Public Key, and use the key to re-enable 2FA on all accounts on markets and forums.
For those who don’t remember how to back up Secret Key or export Public Key, here are procedures you can follow. NOTE – These procedures are for Kleopatra on Tails (Windows users can adapt them). If you use something other than Kleopatra you must use the process for your PGP front-end:
Part 3 – Exporting your Public Key in Kleopatra
Step 1 – In Kleopatra, find your secret key (it will be in bold text).
Step 2 – Right click on the key, then find and click on Export
NOTE – Do not click Export Secret Keys at this time.
Step 3 – In the Export Certificates — Kleopatra popup, double-click Persistent in the Name list.
Step 4 – Rename the File name: to something you will remember. I use <keyname>PublicKey.asc (Make it simple so you can easily spot the file), then click Save.
Part 4 – Copying Your Public Key in Cleartext to Post on Other Web Sites or Send to a Vendor
Step 1 – Open Applications – Favorites – Files, then click on Persistent in the list on the left side of the window.
Step 2 – Right click the <keyname>PublicKey.asc file, then click Open With Other Application.
Step 3 – In the Select Application popup, click View All Applications at the bottom.
Step 4 – Under Related Applications, find and double-click on Text Editor. This opens a new Text Editor window with your keyfile in cleartext.
NOTE – If you have another Text Editor window active, the file will open as a new tab.
Step 5 – In Text Editor, click on the <keyname>PublicKey.asc tab.
Step 6 – Click in the cleartext key, then press Ctrl+A to highlight the entire key. Press Ctrl+C to copy the highlighted key.
Step 7 – Go to the site or message you want to copy your key into, then click in the message/PGP Public Key area and press Ctrl+V to paste the copied key.
Part 10- Backing Up Your Secret Key After Creation
Step 1 – In Kleopatra, scroll through your certificates (aka keys) until you see your secret key (it will be in bold), then right-click on the key.
Step 2 – In the popup, click Export Secret Keys…
Step 3 In the Export Secret Key — KLeopatra popup, under Name, double-click Persistent.
Step 4 – Change the File name: to something you will remember as your backup secret key. I use <keyname>SecretBackup.asc
Step 5 – Click Save
Step 6 – In the Passphrase: popup, enter the passphrase for your secret key, then click OK.
Step 7 – In the Secret Key Export Finished — Kleopatra popup, click OK.
NOTE – You can copy this saved key to a USB drive to have an offline copy on seperate media.