different passwords for subkeys of the same masterkey

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Jan 21 03:36:49 CET 2015

On Mon 2015-01-12 10:13:48 -0500, s7r wrote:
> Is it possible to have one masterkey with two subkeys (sbind), one for
> encrypt only and one for sign only, and each of them to have different
> passphrases?

Yes, it is possible.  with gpg 2.1, you can create new subkeys and give
each of them a different passphrase.  I haven't tested with 1.4 or 2.0.

> Additionally, how can I select in enigmail which userID I want to sign
> when signing a key with multiple UserIDs? I do not want to sign the
> primary one. Enigmail just offers me the ability to 'sign key',
> nothing said about UserID, just lets me select either normal signature
> or local signature not exportable.

The thing that you're signing with is a key.  it's either your primary
key, or a signing-capable subkey.  Your User IDs are all associated with
your primary directly (and with your subkeys indirectly, through the
primary key).

The OpenPGP standard defines a way to embed the preferred user ID in a
given signature using a "signer's user ID" subpacket [0], but it has
several drawbacks:

 * i'm not sure how to do it in GnuPG, which enigmail relies on for the
   OpenPGP parts, and

 * it's not clear what a receiving MUA should do with that information,
   even if it was present.

So i don't think this is a feature request that makes a lot of sense,
really.  Can you explain more what you'd hope to gain from such a


[0] https://tools.ietf.org/html/rfc4880#section-

More information about the Gnupg-users mailing list