GPG and 1024-bit (or multiple) subkeys

Todd Zullinger tmz at pobox.com
Tue Aug 15 19:23:53 CEST 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Charles Franklin Bernard wrote:
> "By itself" meaning a key without any other subkey.  They want us to
> generate a new public key with only one subkey, and that at 2048-bit
> instead of 1024.

I'd ask them to explain why they think this is required by GnuPG and
why they believe it needs to be a new key.  I can understand that they
might desire a stronger encryption subkey (2048 vs. 1024), but if
they're only requesting this because they misunderstand how the system
works, then they are just wasting your time. :)

> I suppose we could also make a copy of our existing public key, then
> delete the 1024-bit subkey (keeping the 2048-bit subkey we recently
> added), but I'm hoping there's a command line argument/flag for GPG
> to encrypt a file using a public key with two subkeys, specifying
> the 2048-bit subkey and ignoring the 1024-bit subkey.

There is.  Just append a ! to the keyid.  See the section "How to
specify a user ID" in the gpg man page.

If you had a key like this:

pub   1024D/1B324765 2006-05-21
uid       [ultimate] Testing <tmz at localhost.localdomain>
sub   2048g/263C2EA4 2006-05-21
sub   4096g/9BDAA7FA 2006-08-15

You could tell gpg to encrypt to the 2048 subkey like so:

    $ gpg -e -r 263C2EA4! ...

(note that you may need to quote or otherwise protect the ! from being
interpreted by your shell.)

If the senders you are dealing with don't grok this, then export your
whole key, delete the 1024 subkey, export the pubkey containing only
the 2048 subkey for them and then import your full key again.

- -- 
Todd        OpenPGP -> KeyID: 0xBEAF0CE3 | URL: www.pobox.com/~tmz/pgp
======================================================================
Even if you're on the right track, you'll get run over if you just sit
there.
    -- Will Rogers

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQFDBAEBAgAtBQJE4gMoJhhodHRwOi8vd3d3LnBvYm94LmNvbS9+dG16L3BncC90
bXouYXNjAAoJEEMlk4u+rwzjhgYH/33peFQhKuPXxVXBOSRn6r1Ln1q3WeT6VnPD
vE3mwovHVgsPbANAZ3+XvY7/i9dMv7+9NbBdXwUzdJOI6rSmE5d/NdZ/bEmyLtGJ
j7wrCSPkMJow07EnWJT0NL2sdbbw4WdfzvXCGONZzwwkkUyKvEdqOcIWqAZ4jC6J
qcV4Aug4J7ryaWpm7ZYECj8k/h2r+wK7v1tA46yqups7ihDzwBrZFoZaziZTVnkX
Dv0XCFBFjD2Szja02cTs3FBBikSkbQnm2TPRqmf9e1xwhblmLNIGghdwadSNTvks
djDA9bKAN+Ei/OgapCDYeF6JWtnpvkqSjrRri19Dn6ddKTXydfE=
=+CBK
-----END PGP SIGNATURE-----



More information about the Gnupg-users mailing list