GPG and 1024-bit (or multiple) subkeys

Todd Zullinger tmz at
Tue Aug 15 19:23:53 CEST 2006

Hash: SHA1

Charles Franklin Bernard wrote:
> "By itself" meaning a key without any other subkey.  They want us to
> generate a new public key with only one subkey, and that at 2048-bit
> instead of 1024.

I'd ask them to explain why they think this is required by GnuPG and
why they believe it needs to be a new key.  I can understand that they
might desire a stronger encryption subkey (2048 vs. 1024), but if
they're only requesting this because they misunderstand how the system
works, then they are just wasting your time. :)

> I suppose we could also make a copy of our existing public key, then
> delete the 1024-bit subkey (keeping the 2048-bit subkey we recently
> added), but I'm hoping there's a command line argument/flag for GPG
> to encrypt a file using a public key with two subkeys, specifying
> the 2048-bit subkey and ignoring the 1024-bit subkey.

There is.  Just append a ! to the keyid.  See the section "How to
specify a user ID" in the gpg man page.

If you had a key like this:

pub   1024D/1B324765 2006-05-21
uid       [ultimate] Testing <tmz at localhost.localdomain>
sub   2048g/263C2EA4 2006-05-21
sub   4096g/9BDAA7FA 2006-08-15

You could tell gpg to encrypt to the 2048 subkey like so:

    $ gpg -e -r 263C2EA4! ...

(note that you may need to quote or otherwise protect the ! from being
interpreted by your shell.)

If the senders you are dealing with don't grok this, then export your
whole key, delete the 1024 subkey, export the pubkey containing only
the 2048 subkey for them and then import your full key again.

- -- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL:
Even if you're on the right track, you'll get run over if you just sit
    -- Will Rogers

Version: GnuPG v1.4.5 (GNU/Linux)


More information about the Gnupg-users mailing list