Change expire date from gpg/pgp key on Nitrokey

Is it possible to edit the expiration date?

If I try it with gpg --edit-key XXXXX and gpg --card-edit. After that I tried to change expire with expire.

gpg: signing failed: No secret key
gpg: make_keysig_packet failed: No secret key

If there is no chance to update the expiration date, I have a backup. Should I really re-add my keys and before that set the expiration date to 0?


I did a quick test with Enigmail. This worked fine. Technically you are just adapting you pub key information and signing the change with your private key afterwards.

I guess it just didn’t worked because gpg couldn’t talk to your Nitrokey… Are you able to do normal signing with gpg?

Kind regards

Yes I can sign and encrypt files. Also decrypt and prove sign.

I tried now with ‘gpg --key-edit xxxxx’ and the expire command. It worked just fine :thinking:

I don’t know, what is happening there. Maybe you are using the wrong key (sorry, I really have to guess here a bit) or the key is not correctly connected to your keychain (as the private key itself should be on the Nitrokey, there wouldn’t be loss to remove the key from the keychain and add it again).

Please be careful and may make a backup of the whole .gnupg folder (or the corresponding folder on Windows if you are using windows).

I created a second encryption key before the first move and also a sign and auth.

These three keys I have moved onto the Nitrokey. Is the second encryption key the problem?

/edit: On my phone, OpenKeyChain print “Key is stripped, it cannot confirm other keys”

The “expiration date” is a public key attribute only (the private keys never expire).
To change that you need to have the master key key. You must recover the master private key from the cold backup (gpg --import your-private-key.private), then you can edit the sub keys. After this task you can delete again your secret key again.

You needn’t to change anything on the token.



Thanks for the explanation. I thought the private key was on the token.
Since I removed the private primary key from the PC and moved it to an external medium, it was of course not accessible.

But isn’t it the point of this device to keep the private key there? Or does this only apply to the private sub keys? Does the primary private key belong on an external USB stick or something similar, so that you don’t always have it with you?

1 Like


no, it is totally fine to have the main key on the device. I wonder if you may just did not moved the keys correctly.

It depends on how you did the key moving…

Kind regards

I created a second encryption key and moved this one onto the device. I think thats the “problem”.

The first encryption key is bound to the primary one. It must also have the same password as the primary one. If you revoked this, the primary one is also revoked.

Why I made a second one? It is also done in the advanced “tutorial” which is linked on

In my opinion, it makes sense not to have the primary private key on the token. You probably always carry the token around with you, the chance to lose it is high and even if it is protected on the token, with the thought of no longer owning the primary key alone, nobody can sleep peacefully anymore… :smiley:

The openpgp card keeps only 3 keys (encryption, signing and authentication). You can store the master key on signing slot and two sub keys (encryption and authentication) or use, for example, aseparate openpgp card to keep the master card and the nitrokey for three sub keys.

Ah, okay, then my thoughts were wrong again.
I have also created a sub key to sign, which now stays on the token.

Take in minds that it’s very import to store the master key into a safe place / device. It’s easy to stole your token and at the same time it’s easy to watch you when you are writing the pin code.

If you lost the token (sub keys), with the master key you can revoke the sub keys and create a new set, keeping your identity safe. If your master key is stolen, you will lost, in some way, your identity and your network of trusts. In this case you need to generate a new master, sub keys, and rebuild your friends network from the begin (after you send revoke certificate for the master key to key servers).
For this reason I prefer to keep the master key on a cold storage and on a separate smart card (stored in my home) that I will use to sign pub keys only, and only subkeys into the token for everyday use.

Keep you safe, keep your master on the paper :wink: