Add sign key only?

David Shaw dshaw at
Sat Dec 11 22:03:22 CET 2010

On Dec 11, 2010, at 3:06 PM, Ben McGinnes wrote:

> On 12/12/10 7:00 AM, David Shaw wrote:
>> If you were forced to disclose your encryption key, you could give
>> them just that particular subkey and not give them the signing
>> subkey at all.  What some people (me, among others) do in addition
>> to this, is to remove the primary key and store it offline.  That
>> way even if it's an accidental leak of the key (rather than a
>> compelled one), the primary key is safe.  Since the primary key can
>> be used to revoke the old subkeys and make new ones, this is a very
>> safe way to handle keys.
> Obviously the offline storage/copy would include the subkeys and
> essentially be a backup of all 3, but how is the primary key removed
> from the two subkeys in the keyring?

GPG has an option to create a special key like this.  Basically, after you make your backup copy, run:

  gpg --export-secret-subkeys (thekey) > my-subkeys-only.gpg

Then delete the real secret key (make sure you have a backup!):

  gpg --delete-secret-key (thekey)

And import the special no-primary-key version:

  gpg --import my-subkeys-only.gpg

The key will then work just like any other key, except that it can't sign other keys, and it can't make more subkeys (since you need the primary to do that).  The only visible difference is a "#" sign after the "sec" when you --list-secret-keys.

If your subkeys are compromised, or you need a new subkey, or want to sign someone elses key, you bring back your backed up copy of the full key, do what you need to do, and then go back to the no-primary-key version.


More information about the Gnupg-users mailing list