GPG keys for multiple email accounts

atair atair04 at googlemail.com
Fri Jul 26 02:33:51 CEST 2013 

This topic is not yet solved for me, sorry for the long inactivity...

I tried the following approach which is inspired by the debian hints [1][2].
[1] http://keyring.debian.org/creating-key.html
[2] http://wiki.debian.org/subkeys

# preparing clean environment for testing
$ mkdir /data/tmp/todel/gpghome-todelete
$ export GNUPGHOME=/data/tmp/todel/gpghome-todelete
$ gpg2 -k
gpg: keyring `/data/tmp/todel/gpghome-todelete/pubring.gpg' created
gpg: /data/tmp/todel/gpghome-todelete/trustdb.gpg: trustdb created
$ gpg2 -K
gpg: keyring `/data/tmp/todel/gpghome-todelete/secring.gpg' created

# create a sign only key first, and then add another sign key and
another encryption key
$ gpg2 --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 3072
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at 2015-07-26T01:51:16 CEST
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Test Key
Email address:
Comment:
You selected this USER-ID:
    "Test Key"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

gpg: problem with the agent: Not implemented
// * what does/should this tell me? * //
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size
gpg: key CDFD0D80 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2015-07-25
pub   3072D/CDFD0D80 2013-07-25 [expires: 2015-07-25]
      Key fingerprint = 6FF6 3569 1EEC F4D7 6D33  5B4F 8F37 FCE1 CDFD 0D80
uid                  Test Key

Note that this key cannot be used for encryption.  You may want to use
the command "--edit-key" to generate a subkey for this purpose.
$ gpg2 --edit-key CDFD0D80
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  3072D/CDFD0D80  created: 2013-07-25  expires: 2015-07-25  usage: SC
                     trust: ultimate      validity: ultimate
[ultimate] (1). Test Key

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Test Key"
3072-bit DSA key, ID CDFD0D80, created 2013-07-25

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 5
ELG keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2w
Key expires at 2013-08-09T01:54:07 CEST
Is this correct? (y/N) y
Really create? (y/N) y
gpg: problem with the agent: Not implemented
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

pub  3072D/CDFD0D80  created: 2013-07-25  expires: 2015-07-25  usage: SC
                     trust: ultimate      validity: ultimate
sub  4096g/52C7F578  created: 2013-07-25  expires: 2013-08-08  usage: E
[ultimate] (1). Test Key

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Test Key"
3072-bit DSA key, ID CDFD0D80, created 2013-07-25

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 3072
Requested keysize is 3072 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 20d
Key expires at 2013-08-15T01:56:58 CEST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size

pub  3072D/CDFD0D80  created: 2013-07-25  expires: 2015-07-25  usage: SC
                     trust: ultimate      validity: ultimate
sub  4096g/52C7F578  created: 2013-07-25  expires: 2013-08-08  usage: E
sub  3072D/FC9E4EAC  created: 2013-07-25  expires: 2013-08-14  usage: S
[ultimate] (1). Test Key

Command> save

# basically following the debian-instructions here
# in real life, here could happen a change from offline to online environment
$ gpg2 --export CDFD0D80 > testkey.pub
$ gpg2 --export-secret-keys CDFD0D80 > testkey.prv
$ gpg2 --export-secret-subkeys 52C7F578! FC9E4EAC! > testkey.sub
$ gpg2 --delete-secret-keys CDFD0D80
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


sec  3072D/CDFD0D80 2013-07-25 Test Key

Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
# deletion has worked
$ gpg2 -k
/data/tmp/todel/gpghome-todelete/pubring.gpg
--------------------------------------------
pub   3072D/CDFD0D80 2013-07-25 [expires: 2015-07-25]
uid                  Test Key
sub   4096g/52C7F578 2013-07-25 [expires: 2013-08-08]
sub   3072D/FC9E4EAC 2013-07-25 [expires: 2013-08-14]

$ gpg2 -K
# importing also successful
$ gpg2 --import testkey.pub testkey.sub
gpg: key CDFD0D80: "Test Key" not changed
gpg: key CDFD0D80: secret key imported
gpg: key CDFD0D80: "Test Key" not changed
gpg: Total number processed: 2
gpg:              unchanged: 2
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
$ gpg2 -k
/data/tmp/todel/gpghome-todelete/pubring.gpg
--------------------------------------------
pub   3072D/CDFD0D80 2013-07-25 [expires: 2015-07-25]
uid                  Test Key
sub   4096g/52C7F578 2013-07-25 [expires: 2013-08-08]
sub   3072D/FC9E4EAC 2013-07-25 [expires: 2013-08-14]

$ gpg2 -K
/data/tmp/todel/gpghome-todelete/secring.gpg
--------------------------------------------
sec#  3072D/CDFD0D80 2013-07-25 [expires: 2015-07-25]
uid                  Test Key
ssb   4096g/52C7F578 2013-07-25
ssb   3072D/FC9E4EAC 2013-07-25

# now check whether thunderbird+enigmail works
$ thunderbird
$ #in thunderbird+enigmail I choose "0xCDFD0D80" for an email account
$ #(1) in compose window I select "OpenPGP/sign"
$ #    and I have to enter the passphrase for "FC9E4EAC"
$ #    email gets sent and arrives with
$ #      "Good signature from Test Key \\Key ID: 0xCDFD0D80"
$ #(2) new email: this time check "OpenPGP/encrypt"
$ #    and I get an OpenPGP Alert:
$ #      "Send operation aborted. \\INV_RECP 0 0x782B2A766EE19DE0"
$ #    email is not sent

- What does this last alert tell me?
- Does this approach make sense? (I'm thinking on the suggested
--expert --gen-key option, for example)
- How to add support for other email addresses but the same master
key? Creating sign/encrypt keys for each account?
- Additionally, something that I don't understand (or at least
expected differently) is that I only had to type the master key's
passphrase. What I want (if possible) is a long passphrase for the
master key, and a shorter passphrase for the subkeys (for convenience
in daily use, etc). What am I doing wrong or misunderstand?

Thanks for your help,
-- atair

More information about the Gnupg-users mailing list