Offline Master Key
gollo at fsfe.org
Mon May 2 16:54:03 CEST 2011
* patrickbx at lavabit.com <patrickbx at lavabit.com> [110502 16:50,
mID <7184.108.40.206.25.1304347651.squirrel at lavabit.com>]:
> I have question on key management and was looking for some feedback. My
> issue is that I like the idea of having a Master signing key with no
> expiration date and I want to store this key offline without the
> inconvenience of using an offline computer every time i'd like to send a
> signed/encrypted message.
> My idea is to create a master signing key on an offline
> computer(persistent live usb). Then create two subkeys that have regular
> expiration dates. One encryption key and one additional "daily-use"
> signing key. I would post my master key in my signature and use it to
> sign the sub-keys. When sending mail I would use my daily use key to sign
> my messages. I would only access and use my master key when it is
> necessary to sign other keys and update my sub keys. Would this create any
> problems for those reading and verifying my emails? Would it be necessary
> to link to my key policy in my mail or would it be seamless that my sub
> signing key is valid because it is signed by the master.
If you follow the steps of the howto at  without using a smartcard
(i.e. you don't move the subkeys to a OpenPGP card, but keep them in the
keyring), this should work without problems. You can then sign and
decrypt files with the subkeys (if you do it right, people will encrypt
messages to the correct subkey *only*).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 490 bytes
Desc: not available
More information about the Gnupg-users