Add sign key only?

Grant Olson kgo at
Sat Dec 11 21:42:15 CET 2010

On 12/11/10 3:25 PM, Chris Poole wrote:
>> If you were forced to disclose your encryption key, you could give them just that particular subkey and not give them the signing subkey at all.
> But isn't the likelihood that they'll get your passphrase too, so the
> security lies in the hope that they don't have access to the signing
> subkey? This seems quite likely to me... I doubt they'd let you go
> away and send them just the encryption/decryption key.

If you're voluntarily handing the key over to the authorities because of
a court order or something, you could delete the signing key, change the
passphrase, run export-secret-subkeys, and they'll still get everything
they want.  Having a seperate encryption key probably doesn't help with
a malicious attacker, or someone who's forcing you to hand over the key
with a rubber hose.


"I am gravely disappointed. Again you have made me unleash my dogs of war."

More information about the Gnupg-users mailing list