Offline Master Key

Hauke Laging mailinglisten at
Mon May 2 17:19:38 CEST 2011

Am Montag, 2. Mai 2011, 16:47:31 schrieb patrickbx at

> My idea is to create a master signing key on an offline
> computer(persistent live usb).  Then create two subkeys that have regular
> expiration dates.  One encryption key and one additional "daily-use"
> signing key.

You can create the master key without any capability except for certification. 
It is theoretically possible to use several keys (main key and subkeys) within 
one key for signing and give the signatures different meanings (e.g. "daily 
use" vs. "high security") but I think that most people would not notice the 
difference. So IMHO the only reason for having several simultaneously valid 
keys with the same ability in one key is compatibility: Use the strongest key 
(and have the others use it) whenever possible, otherwise use the worse 

I think it's a good idea to have signature and encryption keys of different 
quality but I would advice to use different main keys for that. That allows 
the others to understand the difference from a simple look at the UID (when 
using comments like "daily use" and "high security").

> Would this create any
> problems for those reading and verifying my emails?

No. Subkeys are a normal feature. The default configuration creates keys with 
a subkey (not for signing though). Nobody except you should be able to realize 
whether your master key is stored online or offline.

> Would it be necessary to link to my key policy in my mail

No but it makes sense (independently of this question) to link it in your 
self-signature. See the option --set-policy-url though in the default 
configuration this URL is not shown (just hinted by a "P").

> or would it be seamless that my sub
> signing key is valid because it is signed by the master.

Yes, that's the concept of OpenPGP.

PGP: D44C 6A5B 71B0 427C CED3 025C BD7D 6D27 ECCB 5814
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 555 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20110502/f1cfe021/attachment.pgp>

More information about the Gnupg-users mailing list