Add sign key only?

David Shaw dshaw at
Sat Dec 11 22:51:56 CET 2010

On Dec 11, 2010, at 4:42 PM, Ben McGinnes wrote:

> On 12/12/10 8:03 AM, David Shaw wrote:
>> GPG has an option to create a special key like this.  Basically,
>> after you make your backup copy, run:
>>  gpg --export-secret-subkeys (thekey) > my-subkeys-only.gpg
>> Then delete the real secret key (make sure you have a backup!):
>>  gpg --delete-secret-key (thekey)
>> And import the special no-primary-key version:
>>  gpg --import my-subkeys-only.gpg
> Awesome, thanks.
>> The key will then work just like any other key, except that it can't
>> sign other keys, and it can't make more subkeys (since you need the
>> primary to do that).  The only visible difference is a "#" sign
>> after the "sec" when you --list-secret-keys.
> Cool.  What difference (if any) does this make to the
> generation/export of the public key?  And, more to the point, is it
> best to provide a public key block generated without the presence of
> the primary key or not?

No difference.  The public key is completely separate from the private key in this regard, so it makes no difference if the primary key is present or not.

>> If your subkeys are compromised, or you need a new subkey, or want
>> to sign someone elses key, you bring back your backed up copy of the
>> full key, do what you need to do, and then go back to the
>> no-primary-key version.
> Cool.  Now that I think about it, anyone needing to check a signature
> one added to their key would need a public key that included data from
> the primary key.  Did I just answer my own question?

They'd need the public half of the primary key, but that's part of your public key.  The --export-secret-subkeys trick doesn't touch the public key (no point - it's public), so anyone who wants to check a key signature can do that.


More information about the Gnupg-users mailing list