Is it possible to remove capabilities from an existing key?

Philip Jägenstedt philip at
Thu Sep 12 14:53:29 CEST 2013

On Thu, Sep 12, 2013 at 12:16 AM, Hauke Laging
<mailinglisten at> wrote:
> Am Mi 11.09.2013, 23:42:30 schrieb Philip Jägenstedt:
>> My public key has the default capabilities sign and certify. I've seen
>> that some people have only the certify capability in order to be able to
>> keep the main key offline most of the time.
> It's of limited use to make a former online mainkey an offline mainkey. You
> should create a completely new key (on a secure system).

Certainly, I can't take the master key offline and then pretend it has
never seen a computer with a network connection. I could have used
other terminology, what I'm actually considering is how to remove the
private master key from my laptop, so that if it's lost/stolen I only
need to revoke the subkeys.

>> Is it technically possible to change the capabilities of an existing
>> key, even if there's no way to do it via --edit-key?
> May be possible (it surely would be with patching GnuPG) but is not necessary.
> It makes perfect sense to have signing (and even encryption) capability on an
> offline mainkey.
>> If it's not possible, what would be the consequence of adding a subkey
>> with the sign capability, which key would be used when both are
>> available?
> If there is a subkey then it is used always. I do not know though whether this
> is a direct effect (defined that way) or an indirect one: The creation date
> (and the selfsig date) of a subkey should always be after the creation date of
> the mainkey.

On Thu, Sep 12, 2013 at 12:07 AM, Daniel Kahn Gillmor
<dkg at> wrote:
> i believe GnuPG uses the most-recently-updated subkey that it believes
> to have signing capability, unless you force the subkey in question via
> --local-user or --default-key with a ! suffix (see the "By key Id."
> section in gpg(1)).

You're both right, I've tested simply adding a subkey with the sign
capability, and that's the one that gpg used, even with the master key
available. In other words, it's perfectly possible to do what I wanted
without modifying the existing keys.

Philip Jägenstedt

More information about the Gnupg-users mailing list