GPG keys for multiple email accounts

Peter Lebbing peter at
Mon Jul 8 11:00:29 CEST 2013

On 07/07/13 18:50, Hauke Laging wrote:
> If you want to be sure you may create the mainkey without the flag for 
> encryption (--expert --gen-key).

The keys GnuPG creates by default have signature and certification capabilities
on the primary key and encryption on a subkey.

With an offline main key, it makes a lot of sense to move the signature
capability to a subkey (and /not/ have it on the primary key) ...

> But this would prevent you from using the mainkey as a high security key 
> (useful if you don't have a separate one).

... but advising to set encryption capability on the primary key goes against
the advice of not using one key for both encryption and signing.

Also, why not create the separate one if you don't have it? You wouldn't get the
certifications that are already on the other key, but you save yourself the
hassle of having multiple, active encryption-capable (sub)keys in one key and
people having to select one of those.

Just my 2 cents.


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list