My gpg keys are in the "laptop-keys" configuration with, "positive expiry control". This means that the master key is completely offline, and I encrypt and sign with separate subkeys that are on my laptop. Both the master key and the subkeys have relatively short expiries of 18 and 6 months respectively.

Laptop keys

Laptop keys mean having one master key that is never on a machine that you normally have with you or is connected to the internet. You can do all normal operations with GPG.

Using the offline-master key, you can also change the subkeys, allowing you to rotate the key-material that do the actual signing without loosing your identity which is based on the master key. This is useful to allow you to either periodically change keys or, if you worry your sub-keys might have been compromised to change those without needing to " throw away" your established key identity. Making it much cheaper to change your sub-keys when in doubt, or even just periodically as a precaution.

Here's a guide on how to setup laptop keys: https://spin.atomicobject.com/2013/11/24/secure-gpg-keys-guide/

A limiting side-effect of laptop-keys is that it is the master-key that signs keys of other users. Using the web-of-trust feature of GnuPG requires using the offline master key to create signatures. Making this quite cumbersome.

Positive control

Positive control means you periodically prove you have control over your keys. This is especially important because with laptop keys, by design, the master key is not something you use or operate on a daily basis.

Practically, this is achieved by having relatively short expiry dates on your keys, periodically pushing the date forward and updating your key. I use a sub-key validity of 6 months and 18 months for the master key. The master key has a longer expiry, so that people that communicate with me infrequently, may have expired sub-keys but a valid master and refreshing the key will update both without getting expired master keys.

This means that every 6 months I push the key forward for 6 month more. I do this with a an overlap, so that people updating their keys from the key-server get a key that's valid for at least a couple of months.

Technically, moving the expiry adds a new signature from the master-key to the information. You can remove the old signatures by running "minimize" command on your key when in "--edit-keys" mode. Alternatively, exporting only the minimal keys is possible with:

$ gpg -a --export-options export-minimal --export 0xD58004C930983622

When the expiry has changed, it's possible to simply update the key on the key-server by running:

$ gpg --verbose --send-keys 0xD58004C930983622