Multiple Subkey Pairs

Leo Gaspard ekleog at
Thu Mar 13 19:48:53 CET 2014

On Thu, Mar 13, 2014 at 07:25:46PM +0100, Martin Behrendt wrote:
> One use case would be, if you use portable thunderbird only those
> encrypted messages get compromised which can be decrypted by the local
> key and which were composed in a certain time-frame. On my side, I
> still can read messages friend send me, which are only encrypted to
> e.g. make mass surveillance harder. But they don't have actual
> "important" content. On the other side, those friends of mine, more
> worried about the topic in general know how to only use my safer key.
> So the basic idea is, I'm always reachable via encryption but for
> insecure devices I have a short living key which I can change
> frequently while I still have a long term key out there which can more
> more trusted.
> I don't know if this makes much sense or if are there better ways. Or
> maybe thats a stupid problem to think about at all. I just thought
> about using gpg for multiple devices (especially insecure mobile ones)
> and approaches to increase the security. And now I want to see, what
> is technical possible and if there is a solution to it. If not maybe
> someone at least also starts thinking about the problem and comes up
> with a good solution.

Well... If you want to have messages sent to all machines by default, you can do
this way (signing subkeys as usual) :
 * Generate high-security encryption subkey to be used only on secure machines
 * Generate low-security encryption subkey to be shared amongst all machines
(Tinkering with timestamps could avoid the need to generate subkeys in this

By default (IIRC, not sure it's part of the standard though), all messages will
be sent to the latest enc subkey, thus to all machines. Someone who wants to
send secure messages can willingly encrypt to the other enc subkey.

In case of compromise, revoke the low-sec enc subkey and generate another, and
distribute it to the uncompromised machines.

Does that fit your needs?

Cheers & HTH,


More information about the Gnupg-users mailing list