A few newbie questions, I'am doing this right?

Roy Sindre Norangshol roy.sindre at norangshol.no
Wed Dec 12 19:28:18 CET 2012

Hello list!

I'm trying to setup my gpg setup properly for the first time, and wondering if
this setup seems fine:

Master keypair with only the «certificate» as it's only role, this master
keypair I'll only use for:

* signing someone else's key
* creating a new subkey
* revoking a subkey

as mentioned on debian's wiki[1] and will be stored offline on my private
encrypted usb thumbdrive and only used on my own secure equipment (fully
encrypted laptop or home computer) (planning to buy a cryptostick[2] after new

So I've created 3 seperate subkeys for each role:

* sign (2y expire)
* auth (2y expire)
* encryption (never)

I assume two year expire on sign and auth is good and requirements me to redo
sign and auth subkeypairs every each year to «show I'am alive and kicking».
Encryption is set to never, if it gets compromised I'll have to reencrypt all
my stuff that I want to keep safe anyway and wipe existing old copies.
Encryption key I will only have at home, laptop and server stationed at my
parents (used for mutt) which are all fully encrypted.

I've attached two identities (roy.sindre at norangshol.no and my current identity
at work.)

I thought I could create two additional subkeys (sign and auth) for use at work
for my work identity, in case these subkeys gets compromised I can easily
revoke these two keys and create new ones to use at work and don't need to
worry about building a whole new web-of-trust since signing happens with my
master key which is securly stored offline. 

Is this partly okey as long as I use those additional work subkeys only at work
and not my other ones? (planning to store them on my workstation which I guess
is insecure as techies can remotly access it.))

If an encryption shows up as a requirement later at work, I guess there is no
problems later to add an additional encryption subkey to use at work if I
understand this correctly?

Since I'm using subkeys I don't have to «redo» the web-of-trust/signing when
renewing my subkeys, right?

I'am missing something huge or does this setup look okey? :-)

Kinda want to properly setup this before attending any kind of signing parties.
Thank you in advance!

[1] http://wiki.debian.org/subkeys
[2] http://www.crypto-stick.com/
Roy Sindre Norangshol
roy.sindre at norangshol.no

More information about the Gnupg-users mailing list