key management & APG

Hauke Laging mailinglisten at
Sat Aug 3 14:51:25 CEST 2013

Am Sa 03.08.2013, 12:16:56 schrieb ix4svs at

> On 30 July 2013 22:30, <ix4svs at> wrote:

> > I only need one GPG identity for now. I also use GPG on devices of two
> > classes: "Secure" and "insecure". I would like to take some operational
> > security (OPSEC) precautions to minimize my pain when my insecure devices
> > get compromised.

You should consider using two keys for the same identity and very obviously 
give them different security levels.  IMHO that's what we all are going to do 
in five years.

Then the sender can decide how confidential the information is (or how 
reliable the signature must be).

> > 2. Export the full keyring and keep it somewhere safe (on a few offline
> > systems).

There is no need to export the keyring. Just export the whole key:

gpg --armor --export-secret-keys 0x12345678 > 0x12345678.secret-mainkey.asc

export the subkeys only

gpg --armor --export-secret-subkeys 0x12345678 > 0x12345678.secret-subkeys.asc

delete the secret keys

gpg --delete-secret-key 0x12345678

and import the subkeys only

gpg --import 0x12345678.secret-subkeys.asc

It's not important where you store the offline mainkey. You may even put it on 
your web site. Just make sure that your passphrase is cryptografically safe 
(16+ chars [a-zA-Z0-9] and never entered on an insecure system).

> > 3. Create a "insecure" keyring with the original signing subkey missing
> > (as described in )

To me this seems to be a really strange article. My advise is to ignore that.

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130803/4926d168/attachment-0001.sig>

More information about the Gnupg-users mailing list