Add sign key only?
ben at adversary.org
Sat Dec 11 22:42:27 CET 2010
On 12/12/10 8:03 AM, David Shaw wrote:
> GPG has an option to create a special key like this. Basically,
> after you make your backup copy, run:
> gpg --export-secret-subkeys (thekey) > my-subkeys-only.gpg
> Then delete the real secret key (make sure you have a backup!):
> gpg --delete-secret-key (thekey)
> And import the special no-primary-key version:
> gpg --import my-subkeys-only.gpg
> The key will then work just like any other key, except that it can't
> sign other keys, and it can't make more subkeys (since you need the
> primary to do that). The only visible difference is a "#" sign
> after the "sec" when you --list-secret-keys.
Cool. What difference (if any) does this make to the
generation/export of the public key? And, more to the point, is it
best to provide a public key block generated without the presence of
the primary key or not?
> If your subkeys are compromised, or you need a new subkey, or want
> to sign someone elses key, you bring back your backed up copy of the
> full key, do what you need to do, and then go back to the
> no-primary-key version.
Cool. Now that I think about it, anyone needing to check a signature
one added to their key would need a public key that included data from
the primary key. Did I just answer my own question?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 227 bytes
Desc: OpenPGP digital signature
More information about the Gnupg-users