I did a quick test with Enigmail. This worked fine. Technically you are just adapting you pub key information and signing the change with your private key afterwards.
I guess it just didnât worked because gpg couldnât talk to your Nitrokey⌠Are you able to do normal signing with gpg?
I tried now with âgpg --key-edit xxxxxâ and the expire command. It worked just fine
I donât know, what is happening there. Maybe you are using the wrong key (sorry, I really have to guess here a bit) or the key is not correctly connected to your keychain (as the private key itself should be on the Nitrokey, there wouldnât be loss to remove the key from the keychain and add it again).
Please be careful and may make a backup of the whole .gnupg folder (or the corresponding folder on Windows if you are using windows).
The âexpiration dateâ is a public key attribute only (the private keys never expire).
To change that you need to have the master key key. You must recover the master private key from the cold backup (gpg --import your-private-key.private), then you can edit the sub keys. After this task you can delete again your secret key again.
Thanks for the explanation. I thought the private key was on the token.
Since I removed the private primary key from the PC and moved it to an external medium, it was of course not accessible.
But isnât it the point of this device to keep the private key there? Or does this only apply to the private sub keys? Does the primary private key belong on an external USB stick or something similar, so that you donât always have it with you?
I created a second encryption key and moved this one onto the device. I think thats the âproblemâ.
The first encryption key is bound to the primary one. It must also have the same password as the primary one. If you revoked this, the primary one is also revoked.
Why I made a second one? It is also done in the advanced âtutorialâ which is linked on nitrokey.com/start.
In my opinion, it makes sense not to have the primary private key on the token. You probably always carry the token around with you, the chance to lose it is high and even if it is protected on the token, with the thought of no longer owning the primary key alone, nobody can sleep peacefully anymoreâŚ
The openpgp card keeps only 3 keys (encryption, signing and authentication). You can store the master key on signing slot and two sub keys (encryption and authentication) or use, for example, aseparate openpgp card to keep the master card and the nitrokey for three sub keys.
Take in minds that itâs very import to store the master key into a safe place / device. Itâs easy to stole your token and at the same time itâs easy to watch you when you are writing the pin code.
If you lost the token (sub keys), with the master key you can revoke the sub keys and create a new set, keeping your identity safe. If your master key is stolen, you will lost, in some way, your identity and your network of trusts. In this case you need to generate a new master, sub keys, and rebuild your friends network from the begin (after you send revoke certificate for the master key to key servers).
For this reason I prefer to keep the master key on a cold storage and on a separate smart card (stored in my home) that I will use to sign pub keys only, and only subkeys into the token for everyday use.