Offline Master Key

Jerome Baum jerome at
Mon May 2 17:14:09 CEST 2011

On Mon, May 2, 2011 at 16:47, <patrickbx at> wrote:

> My idea is to create a master signing key on an offline
> computer(persistent live usb).  Then create two subkeys that have regular
> expiration dates.  One encryption key and one additional "daily-use"
> signing key.  I would post my master key in my signature and use it to
> sign the sub-keys.  When sending mail I would use my daily use key to sign
> my messages.  I would only access and use my master key when it is
> necessary to sign other keys and update my sub keys. Would this create any
> problems for those reading and verifying my emails?

If you are talking about actual sub-keys (not separate keys that are only
semantically "sub-keys"), then there is no problem. However, they might have
to get the latest key copy including the sub-keys to verify, and they
definitely need the encryption sub-key to encrypt.

> Would it be necessary
> to link to my key policy in my mail or would it be seamless that my sub
> signing key is valid because it is signed by the master.

An encryption sub-key is used to encrypt to the resp. uid on the master key.
A signing sub-key is implied to belong to the same uid as well. So, it's

Jerome Baum

Telefon: +49-1578-8434336
E-Mail: jerome at
PGP: A0E4 B2D4 94E6 20EE 85BA E45B 63E4 2BD8 C58C 753A
PGP: 2C23 EBFF DF1A 840D 2351 F5F5 F25B A03F 2152 36DA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20110502/ee56572c/attachment.htm>

More information about the Gnupg-users mailing list