Several master keys vs. master key ,and subkeys
biggles.trenton at gmail.com
Tue Jul 16 12:21:20 CEST 2013
On 2013-07-16 10:52, gnupg-users-request at gnupg.org wrote:
> Message: 2
> Date: Tue, 16 Jul 2013 10:09:38 +0200
> From: Werner Koch <wk at gnupg.org>
> To: Martin <martin.brochhaus at gmail.com>
> Cc: gnupg-users at gnupg.org
> Subject: Re: Several master keys vs. master key and subkeys
> Message-ID: <87k3krj58d.fsf at vigenere.g10code.de>
> Content-Type: text/plain; charset=us-ascii
> On Tue, 16 Jul 2013 01:16, martin.brochhaus at gmail.com said:
>> >This person claims that subkeys are not the best option because:
>> >Any reasons why I should stick to GPGs "native" subkey feature?
> Yes, because that is a core concept of OpenPGP.
Sorry if this is wordy, but I want to make sure I cover most details.. :)
I thought I had grasped the concept of all various key parts, but now
I'm getting a bit unsure..
A GnuPG key has a private key and a public key. When you first create
it, you get these two parts, and a different kind of "keys", a primary
key (usage: SC), and a sub key for encryption (usage: E).
You can add and revoke sub keys, as much as you want, as well as UIDs,
for when you change or add mail addresses, Jabber IDs, etc.
You can also make a version of your key where the primary key is deleted
and you have two sub keys, one for encryption (usage: E) and one for
signing (usage: S).
But so far, I've always thought that "changing password for a subkey"
was changing the password for, say like in the second example above? You
have a version B of your key, with a different password than version A
(where the primary key is still present)? Not that one particular subkey
per se has a different password?
If I were to create two different signing subkeys (usage:S), not sure
why, but still, I could give them different passwords?
If you _can_ assign a separate, different password to a particular
subkey, I assume it is done under --edit-key, but how?
Just for the record, I use GnuPG 1.4.13 on Windows XP and Linux Mint 14
Nadia. I tend to use commandline 90% of the time, but for text snippets
on my work PC, I also use Cryptophane. On my work PC I run it locally
(local.bat with set GNUPGHOME=.) from inside a mounted TrueCrypt volume.
Cryptophane is also set to 'no-config'.
I have four versions of my key (RSA):
1. "Main key", which is only stored offline, and which contains primary
key and all past and present subkeys, including revoked ones. (None so
far). This key has passphrase A.
2. The key I use, which is kept inside the TrueCrypt file mentioned
above. It has my current subkeys for encryption and signing, but not the
primary key. This key has passphrase B.
3. A travel key, basically GnuPG 1.4.13 and Cryptophane on a USB
thumbdrive. It only has my public key.
4. Same as 3. on my work mobile, using Android and APG 0.8. Only public
The reason for 3 and 4 is that I discovered that during the day, I more
often want to _encrypt_ something to myself, a file or a short piece of
text, in various situations. It can be before uploading a diary note or
a customer file to Dropbox or pretty much just anything. Decryption
happens later, when at my desk or in more secure environments, using key
This is also based on something that may have been acknowledged on this
list more than once; That at the end of the day, you encrypt to yourself
much more often than you do to other people, who can't be bothered with
encryption anyway. ;)
More information about the Gnupg-users