gpg-agent question
David Shaw
dshaw at jabberwocky.com
Fri Dec 12 14:11:00 CET 2003
On Fri, Dec 12, 2003 at 01:48:50PM -0500, Todd wrote:
> David Shaw wrote:
> > On Fri, Dec 12, 2003 at 12:52:26PM -0500, Todd wrote:
> [...]
> >> Just out of curiosity, is this to allow for some future version of
> >> gnupg that will allow you to have a different passphrase on a subkey
> >> than you have on the primary key?
> >
> > What future version? You can do that today ;)
>
> D'oh! I think when I tried to do this a while back, I forgot to use
> the key command to specify that I wanted to work with the subkey, so I
> assumed that I couldn't have a separate passphrase for the subkey.
> That is all there is to it, right?
I was half kidding in my response. GnuPG can handle this, but not
because of something special in GnuPG. Having different passphrases
on different subkeys is a requirement of the OpenPGP format - each key
is encrypted by itself. If the user happens to use a different
passphrase on each, then the end result is a different passphrase on
each.
The user interface in GnuPG doesn't allow you to make such a key, but
if you can do it elsewhere, GnuPG will properly handle the key.
The only way to do it right now is to manually build the key using
gpgsplit. Export the secret key and gpgsplit it. Then, change the
passphrase, re-exprt, and re-gpgsplit. Now copy the subkey with the
new passphrase over the subkey with the old passphrase, leaving the
other packets intact. Reassemble, and re-import the key. It's a
hack.
David
More information about the Gnupg-users
mailing list