How to Securely Migrate APT Repository Keys on Debian 12/13

ByPieter Bakker

Introduction

Starting with Debian 12 Bookworm, the recommended method for managing repository signing keys has changed.
The traditional locations:

  • /etc/apt/trusted.gpg
  • /etc/apt/trusted.gpg.d/*.gpg

are now considered legacy. Keys stored there are trusted globally, which defeats APT’s modern security model.

Debian now recommends storing administrator-managed keys in:

/etc/apt/keyrings/

and binding each repository to its own key via the signed-by= option in your APT source files.
This prevents unnecessary global trust and improves overall repository security.

This guide explains why the change matters and demonstrates how to migrate existing keys, using the popular PHP packages repository from deb.sury.org as an example.

Why you should migrate

1. Improved security

Legacy trusted keyrings make every key trusted for every repository.
If one key is compromised, all repositories become vulnerable.

Using signed-by= restricts each key to its own repository only.

2. Debian standards compliance

Debian 12/13 documentation and APT maintainers now recommend:

  • /etc/apt/keyrings/ for locally managed keys
  • /usr/share/keyrings/ for package-managed keys
  • signed-by= in APT sources

Future Debian releases will progressively move away from trusted.gpg.d.

3. Cleaner configuration

Each repository has its own key and its own entry.
Troubleshooting becomes easier, and configurations are more transparent.

Step-by-Step Migration Example (deb.sury.org)

This example migrates the commonly used key:

/etc/apt/trusted.gpg.d/php-sury.gpg

to the correct modern location and updates its repository definition.

1. Create the new recommended directory (if it does not already exist)

mkdir -p /etc/apt/keyrings

2. Move the existing key to /etc/apt/keyrings/

mv /etc/apt/trusted.gpg.d/php-sury.gpg /etc/apt/keyrings/

3. Set secure permissions

APT requires keyrings to be world-readable:

chmod 644 /etc/apt/keyrings/php-sury.gpg

4. Update the APT repository definition

Edit (or create) the file:

/etc/apt/sources.list.d/php-sury.list

Replace any existing entry with the modern format:

deb [signed-by=/etc/apt/keyrings/php-sury.gpg] https://packages.sury.org/php/ bookworm main

Adjust bookworm to trixie or your Debian release if needed.

5. Update APT

apt update

If the key is correctly placed and the sources.list entry is correct,
APT will no longer trust this key globally, only for the Sury PHP repository.

Conclusion

Migrating repository keys from /etc/apt/trusted.gpg.d/ to /etc/apt/keyrings/ is a simple and forward-compatible best practice for Debian 12 and Debian 13.
This approach enhances system security, aligns with Debian’s current standards, and ensures each repository is validated only by its own signing key.

You can repeat the steps above for all third-party repositories to modernize your APT configuration fully.

Similar Posts