Add sign key only?

Ben McGinnes ben at
Sat Dec 11 22:42:27 CET 2010

On 12/12/10 8:03 AM, David Shaw wrote:
> GPG has an option to create a special key like this.  Basically,
> after you make your backup copy, run:
>   gpg --export-secret-subkeys (thekey) > my-subkeys-only.gpg
> Then delete the real secret key (make sure you have a backup!):
>   gpg --delete-secret-key (thekey)
> And import the special no-primary-key version:
>   gpg --import my-subkeys-only.gpg

Awesome, thanks.

> The key will then work just like any other key, except that it can't
> sign other keys, and it can't make more subkeys (since you need the
> primary to do that).  The only visible difference is a "#" sign
> after the "sec" when you --list-secret-keys.

Cool.  What difference (if any) does this make to the
generation/export of the public key?  And, more to the point, is it
best to provide a public key block generated without the presence of
the primary key or not?

> If your subkeys are compromised, or you need a new subkey, or want
> to sign someone elses key, you bring back your backed up copy of the
> full key, do what you need to do, and then go back to the
> no-primary-key version.

Cool.  Now that I think about it, anyone needing to check a signature
one added to their key would need a public key that included data from
the primary key.  Did I just answer my own question?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101212/8356f48b/attachment.pgp>

More information about the Gnupg-users mailing list