Add sign key only?

David Shaw dshaw at
Sat Dec 11 21:57:00 CET 2010

On Dec 11, 2010, at 3:25 PM, Chris Poole wrote:

>> If you were forced to disclose your encryption key, you could give them just that particular subkey and not give them the signing subkey at all.
> But isn't the likelihood that they'll get your passphrase too, so the
> security lies in the hope that they don't have access to the signing
> subkey? This seems quite likely to me... I doubt they'd let you go
> away and send them just the encryption/decryption key.

It depends on what they ask for.  Without getting into legal issues, it's foolish to hand over more than is requested (or demanded).  If they ask for the decryption key, I certainly wouldn't send them the signing key.  Why would I?  They didn't ask for it.  If they ask for everything, then it's a different story.

Plus, you can change the passphrase on the encryption key (or just remove the passphrase altogether) before you send it to them.  There is no need to give them your passphrase unless, again, they are demanding it.

> Also, my public key has changed now to reflect this extra key, but the
> fingerprint remains the same. I just need to send this new key to the
> keyserver? I don't have to re-generate a revoke certificate, since my
> encryption subkey hasn't changed, right?

Just send it to the keyserver, and you'll be fine.  The revoke certificate applies to the key as a whole, so it doesn't matter what you do with subkeys.  Whatever happens with subkeys, the revoke certificate will work.


More information about the Gnupg-users mailing list