Add sign key only?
Ben McGinnes
ben at adversary.org
Sat Dec 11 22:42:27 CET 2010
On 12/12/10 8:03 AM, David Shaw wrote:
>
> GPG has an option to create a special key like this. Basically,
> after you make your backup copy, run:
>
> gpg --export-secret-subkeys (thekey) > my-subkeys-only.gpg
>
> Then delete the real secret key (make sure you have a backup!):
>
> gpg --delete-secret-key (thekey)
>
> And import the special no-primary-key version:
>
> gpg --import my-subkeys-only.gpg
Awesome, thanks.
> The key will then work just like any other key, except that it can't
> sign other keys, and it can't make more subkeys (since you need the
> primary to do that). The only visible difference is a "#" sign
> after the "sec" when you --list-secret-keys.
Cool. What difference (if any) does this make to the
generation/export of the public key? And, more to the point, is it
best to provide a public key block generated without the presence of
the primary key or not?
> If your subkeys are compromised, or you need a new subkey, or want
> to sign someone elses key, you bring back your backed up copy of the
> full key, do what you need to do, and then go back to the
> no-primary-key version.
Cool. Now that I think about it, anyone needing to check a signature
one added to their key would need a public key that included data from
the primary key. Did I just answer my own question?
Regards,
Ben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101212/8356f48b/attachment.pgp>
More information about the Gnupg-users
mailing list