These are the instructions I use myself for my annual GPG key renewal. I am sharing them here to help others, though they are not perfect.

RENEW.md

Renewing the GPG Key

The point is to renew the core signing key, encryption key, and authentication key, and to create a set of subkeys to be used on devices without access to the GPG card.

The encryption key should not 'expire' ever, as it is needed for communication, the same is true for the parent key, which should never be anywhere other than the card and the veracrypt container. We give them an expiration date anyway, so that if something happens and I can't renew them, they eventually become invalud.

The authentication key can be renewed/replaced, it is used for e.g. SSH.

The signing keys are transient and should be periodically replaced. We never use the primary key to sign anything other than other keys (or on machines where I only have the GPG card and not the private subkey set).

Useful article: debian on subkeys

Notes for people who aren't me

Some of these steps may not be necessary, and I am not an expert, so please comment if I am doing something "wrong" (I don't really care about unnecessary).

Furthermore, I use a Yubikey as a GPG key card, meaning that my master key exists in only two places—that card, and a very secure veracrypt container. These steps assume a setup similar to that.

The most important thing when doing this is to backup the keys, I create a full set of backups in the veracrypt container that I sync via a secure cloud storage provider to make sure I never lose the key. I also have a revocation certificate in that container, just in case. Note, for your sanity if using cloud providers for backup, be sure to use a strong PGP password and a very secure encrypted container.

Steps

1. Export the public key:
   • gpg --export --armour 90BF30FD > 90BF30FD.asc
2. Delete the current key
   • gpg --delete-secret-keys 90BF30FD
   • gpg --delete-keys 90BF30FD
3. Import the "full_secret" key from veracrypt
   • gpg --import --allow-secret-key <path to full_secret>
4. Import the updated public key
   • gpg --import 90BF30FD.asc
5. Update public key from keyserver
   • gpg --refresh-keys 90BF30FD
6. gpg --expert --edit-key 90BF30FD
7. Edit identities, should only be one per email. Can update picture. Commands:
   • clean
   • Enter a raw number to select the uid
     • deluid
     • adduid
8. expire
   • 2y
9. key 1, key 2, key 3
10. expire
    • 1y
11. trust
12. quit
13. Save the full secret key:
    • gpg --export-secret-keys 90BF30FD <path to new full_secret on veracrypt>
    • chmod 400 <path to new full_secret on veracrypt>
14. Now we will handle subkeys packages
    1. Make a full capacity subkey set for encrypted headless machines (very few)
       • gpg --export-secret-subkeys 7861F339AD529B6F FE819A40B7435F1D DFD797186286D304 > <veracrypt path>/full_subkeys.gpg
    2. Make a sign and auth package for machines that don't need encryption (most)
       • gpg --export-secret-subkeys FE819A40B7435F1D DFD797186286D304 > <veracrypt path>/sign_auth_subkeys.gpg
    3. Make a sign only package for machines I code on with limited security
       • gpg --export-secret-subkeys DFD797186286D304 > ~/.gnupg/sign_only_subkeys.gpg
       • cp ~/.gnupg/sign_only_subkeys.gpg <veracrypt path>/sign_only_subkeys.gpg
    4. Make a package for encrypted handheld devices
       • gpg --expert --edit-key 90BF30FD
       • passwd — make the easy one
       • gpg --export-secret-subkeys 7861F339AD529B6F DFD797186286D304 > <veracrypt path>/phone_keys.gpg
       • gpg --expert --edit-key 90BF30FD
       • passwd — change back
15. Handle protonmail
    • Go to protonmail settings
    • Make the ECC key primary
    • Delete the now secondary key
    • gpg --expert --edit-key
    • expire — set to 0
    • Select all subkeys
    • expire — set to 0
    • key 3
    • delkey
    • quit
    • gpg --export-secret-keys --armour 90BF30FD > <path to 90BF30FD_secret_unexpire_no_extra_sign.asc>
    • Now, for each proton mail email address, you need to delete all other uids and import them separately
    • In protonmail settings, import the key
16. Get orig back again
    • gpg --delete-secret-keys 90BF30FD
    • gpg --delete-keys 90BF30FD
    • gpg --import --allow-secret-key <path to full_secret>
    • gpg --import 90BF30FD.asc
17. Move keys back to card, replacing the ones there.
    • gpg --expert --edit-key 90BF30FD
    • keytocard
    • key 1
    • keytocard
    • key 1 — unselect key 1
    • key 2
    • keytocard
    • quit
18. gpg --expert --edit-key 90BF30FD
    • Verify the everything looks ok, the primary key must be on the card, the encryption and authentication keys should be there too.
      • check
      • Delete any duplicate uids
      • clean
    • quit
19. Create a version of this key with the card as primary and a signing key (for encrypted computers)
    • gpg --armour --export-secret-keys 90BF30FD > <path to veracrypt 90BF30FD_card_plus_sign.asc>
20. Now we delete the extra signing key so we can use only with the keycard
    • gpg --expert --edit-key 90BF30FD
    • key 3
    • delkey
    • quit
    • gpg --export-secret-keys --armour 90BF30FD > <path to 90BF30FD_secret_no_extra_sign.asc>
21. Create a new public key
    • gpg --export --armour 90BF30FD > 90BF30FD.asc
22. Send updated key to keyservers
    • gpg --send-keys 90BF30FD
23. Upload new public key to places of trust:
    • https://www.michaeldacre/90BF30FD.txt
    • https://files.michaeldacre/90BF30FD.txt
    • https://keybase.io/mike_dacre/key.asc
    • https://www.facebook.com/mike.dacre/about?section=contact-info
    • https://keys.mailvelope.com/pks/lookup?op=get&search=0x9344528990BF30FD
    • GitHub