First steps with GPG, am I off to a good start?

Hauke Laging mailinglisten at
Fri Oct 11 03:32:11 CEST 2013

Am Fr 11.10.2013, 01:25:50 schrieb Robin Kipp:

> Invoked addkey to generate a 2048 bit RSA sub key, with
> encryption and signing capabilities.

It seems to me that the more accepted recommendation here is to have separate 
subkeys for signing and encryption.

> 6. Exported all secret and public keys
> to a secure medium, also exported the secret sub keys. 7. Rebooted to my
> production system, imported the public keys and the secret subkeys.

> For public keys:
> MacBook-Pro:~ robin$ gpg --list-keys DC329876
> pub   2048R/DC329876 2013-10-10
> uid                  Robin Kipp <robin at>
> uid                  Robin Kipp <mlists at>
> uid                  Robin Kipp <robin at>
> sub   2048R/77DFFF08 2013-10-10 [expires: 2013-11-09]

I know of no good reason for creating a mainkey without expiration date.

Furthermore it would be nice to have a UID without email address but with a 
comment which explains the security of the key. Something like

   "Robin Kipp (normal security level subkeys with offline mainkey)"

This should be explained in more detail in a key policy which you should make 
publicly available and put its URL into the self signatures (see --set-policy-
url) for the UIDs (and maybe even the subkeys). You should also set your 
preferred key server in the selfsigs (--default-keyserver-url).

> since this may not be widely available on keyservers just yet

> Could someone on this list perhaps be so kind and see if I've
> made any mistakes?

One may call that the best sequence of steps but one... ;-)

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20131011/325ced34/attachment.sig>

More information about the Gnupg-users mailing list