Yearly Expiring Subkeys

How do you guys manage expiration of your GPG keys? I’ve got an non expiring Master-Key and 3 separate Subkeys for signing, auth and decryption, each expiring after 12 months.
This is no problem itself, but if I just create yearly new subkeys, I couldn’t save them on my single Nitro-Key and thus couldn’t read older emails, for example.
I could have one nitrokey per year but…hummm

Does someone have an suggestion how to securely manage gpg keys without throwing security completely overboard?

Hi @Nitramin!

In case you are not aware, you can extend the lifetime of the GnuPG key just before it is marked to expire. You just need to modify your public key locally and then distribute it either manually or by a key server.
For the encryption keys, you can make backups of it for the each release, but I understand this would not really be handy once you would like to explore the data archives.

@nitroalex Any tips on the general key management strategy for such case?

I do not rotate my keys. I am not sure how to handle this in a smart way on smart cards. Honestly, I just would say do not rotate your keys, you are protecting them in hardware, so there is no need for this… isn’t it?

Sorry to say, but this restriction is a complete no-go for any enterprise application of the Nitrokey. I was quite keen to take Nitrokeys’ products in consideration because of open-source, but not being able to keep old keys to decrypt old data kills the main use-cases.

Hi @risi!

This is the case for all OpenPGP cards, not only Nitrokeys.

It’s possible to generate the OpenPGP keys securely on the host and import it later to the smart card for daily use, and backing up the secret material to cold storage.
Alternatively, Nitrokey HSM offers secure backup of the secret material.