Debian 11 or Kali Linux ‘apt-key is deprecated’ Warning, here is the solution

Although currently while adding the GPG key on Debian 11 you will get a “Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8))“, still we can use this method. However, there is a solution for this. And here in this article, we will see that.

OpenPGP is an open standard for a cryptographic system (encryption; digital signatures; web of trust), especially for use with e-mails. GnuPG ( Gnu Privacy Guard ) is free and open-source software (available for many operating systems) that implements the OpenPGP standard.

First method: Fix Apt-Key Deprecation Error

The Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)) appears when we use the traditional method of adding public on our system. To resolve this the first solution is to manually find the Key of the software you want to add from the legacy apt-key file and then add that to /trusted.gpg.d/ directory.

For example, here we have added MySQL repository to install Workbench and we got the error. So, to fix that, we first find the key added by it in our legacy key list. For that use the command:

sudo apt-key list

Here in the screenshot, you can see that we have the Apt Key error for the MySQL added key. Hence, what we do is copy the last eight digits of the Pub key given for it.

Fix Apt Key Deprecation Error

Once you have copied that, use the following syntax to convert it into a GPG key and save it under the Trusted.gpg.d folder:

sudo apt-key export past-the copied-digits| sudo gpg –dearmour -o /etc/apt/trusted.gpg.d/key-name.gpg

In the above syntax we replace the “past-the-copied-digits” with the last 8 digits we have copied while removing the space between them. And also replace “key-name” with whatever name you want to use to save the key in GPG format. After that hit the Enter Key.

For example:

sudo apt-key export 3A798D29 | sudo gpg --dearmour -o /etc/apt/trusted.gpg.d/mysql-key.gpg

Now, run the system update command…


How to Safely Add GPG key in Debian 11 or Kali Linux

We generally use the common apt-key method to add OpenPGP Keys to authenticate the packages of some third-party repositories on Debian, Ubuntu, and other similar Linux operating systems such as Linux Mint, MX Linux, and more. However, if you are using Debian 11 and while adding the key you are getting a warning the “apt-key is deprecated” then it is due to security reasons.

It is because when we add an OpenPGP key signed for some APT repository on our system, it will be trusted by APT for other configured repos even if not signed by it. Hence for security reasons, the apt-key has been decrypted.

1st Method:

This one is the easiest method to add a GPG key securely on Debian 11, Kali Linux, or other similar distros.

1. Declare a Path and give some name to your GPG Key. For example, here we are adding a GPG key for Webmin.


Just replace “webmin” with the repo name for which you are adding the key.


2. Download and write the key on the above declared Keypath.

curl -fsSL key-path-to-download | gpg --dearmor | sudo tee "$KEYRING" >/dev/null


curl -fsSL | gpg --dearmor | sudo tee "$KEYRING" >/dev/null

If you don’t want to use CURL then can go for wget

wget --quiet -O - | gpg --dearmor | sudo tee "$KEYRING" >/dev/null

Note: The Key file you download may have a different extension as shown in this article, it could be .gpg, .asc, .key, or any other.


3. That’s it. List the value of your recently added key:

gpg --no-default-keyring --keyring "$KEYRING" --list-keys


apt key is deprecated


2nd Method:

Get the APT repository key

To add the Key first we need to download it from the website of the package you are installing. For example, here we are downloading the key file to add the Webmin repository on Debian, Kali, or any other Linux.

Note: The Key file you download may have a different extension as shown in this article, it could be .gpg, .asc, .key, or any other. However, the steps given here will be the same.

Install wget if you already don’t have that.

sudo apt install wget

After that use it to download the key

wget link-to download-the-key




Check the key is Valid

Verify the type of file is PGP Key, use the following command:

file your-downloaded.key

The result should be PGP public key block Public-Key (old).

Check the OpenPGP key Data is Valid


Create a keyring

Import your downloaded key and create a Keyring.

gpg --no-default-keyring --keyring ./your-repo-name_keyring.gpg --import downloaded-key

Replace the bold items in the above command syntax:


gpg --no-default-keyring --keyring ./webmin_keyring.gpg --import jcameron-key.asc

The output of the Example command:

gpg: keybox './web_keyring.gpg' created
gpg: /home/h2s/.gnupg/trustdb.gpg: trustdb created
gpg: key D97A3AE911F63C51: public key "Jamie Cameron <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1


Export the key 

Export the Key created in the above step to make a valid key to transfer to /etc/apt/trusted.gpg.d/ or /usr/share/keyrings

gpg --no-default-keyring --keyring ./above-created-keyring.gpg --export > ./repo-name-archive-keyring.gpg


gpg --no-default-keyring --keyring ./webmin_keyring.gpg --export > ./webmin-archive-keyring.gpg

Move the above-created key:


sudo mv ./webmin-archive-keyring.gpg /etc/apt/trusted.gpg.d/


Quick and Forceful Method

Although the methods given above are the recommended ones, however, still someone is looking for a quick method then here is the one.  It is a forceful method because we are not converting keys but instead directly moving  legacy keys to a trusted folder, it may be not a wise idea still if you are not finding any other way then here is the one to use:

cd /etc/apt
sudo cp trusted.gpg trusted.gpg.d




1 thought on “Debian 11 or Kali Linux ‘apt-key is deprecated’ Warning, here is the solution”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.