Is it possible to remove capabilities from an existing key?

Hauke Laging mailinglisten at
Thu Sep 12 00:16:45 CEST 2013

Am Mi 11.09.2013, 23:42:30 schrieb Philip Jägenstedt:
> My public key has the default capabilities sign and certify. I've seen
> that some people have only the certify capability in order to be able to
> keep the main key offline most of the time.

It's of limited use to make a former online mainkey an offline mainkey. You 
should create a completely new key (on a secure system).

> Is it technically possible to change the capabilities of an existing
> key, even if there's no way to do it via --edit-key?

May be possible (it surely would be with patching GnuPG) but is not necessary. 
It makes perfect sense to have signing (and even encryption) capability on an 
offline mainkey.

> If it's not possible, what would be the consequence of adding a subkey
> with the sign capability, which key would be used when both are
> available?

If there is a subkey then it is used always. I do not know though whether this 
is a direct effect (defined that way) or an indirect one: The creation date 
(and the selfsig date) of a subkey should always be after the creation date of 
the mainkey.

Crypto für alle:
OpenPGP: 7D82 FB9F D25A 2CE4 5241 6C37 BF4B 8EEF 1A57 1DF5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 572 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20130912/75f1d478/attachment.sig>

More information about the Gnupg-users mailing list