Add sign key only?
Chris Poole
lists at chrispoole.com
Sat Dec 11 17:36:46 CET 2010
I have been using gpg for a while now, with just one subkey for signing and
encryption.
I decided I wanted a separate key for signing, so if I have to give away my
private key for decrypting documents, they can't use it to impersonate me too.
Listing my keys was like this:
pub 1024D/BAD246F9 created: 2006-03-31 expires: never usage: SC
sub 4096g/E71D7B3E created: 2006-03-31 expires: never usage: E
So I ran `gpg --edit-key BAD246F9`, and `addkey`. I chose DSA (sign only)
2048-bit. My keychain looks like this now:
pub 1024D/BAD246F9 created: 2006-03-31 expires: never usage: SC
sub 4096g/E71D7B3E created: 2006-03-31 expires: never usage: E
sub 2048D/7ED39759 created: 2010-12-11 expires: never usage: S
It seems like I've done the right thing: I have a key for encryption, and one
for signing. It seems like my main public key is also allowed for signing too:
is this right?
Also, since I have two subkeys for encryption and signing, both use the same
passphrase, so I don't see how it'll stop anyone who gets my encryption key
being able to sign documents as me too.
Have I done it right?
(Also, my public key has now changed, which I guess is to be expected.)
More information about the Gnupg-users
mailing list