Add sign key only?

Ben McGinnes ben at
Sat Dec 11 21:06:59 CET 2010

On 12/12/10 7:00 AM, David Shaw wrote:
> If you were forced to disclose your encryption key, you could give
> them just that particular subkey and not give them the signing
> subkey at all.  What some people (me, among others) do in addition
> to this, is to remove the primary key and store it offline.  That
> way even if it's an accidental leak of the key (rather than a
> compelled one), the primary key is safe.  Since the primary key can
> be used to revoke the old subkeys and make new ones, this is a very
> safe way to handle keys.

Obviously the offline storage/copy would include the subkeys and
essentially be a backup of all 3, but how is the primary key removed
from the two subkeys in the keyring?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101212/9a94b889/attachment.pgp>

More information about the Gnupg-users mailing list