different passwords for subkeys of the same masterkey

s7r s7r at sky-ip.org
Wed Jan 21 11:58:40 CET 2015

Hash: SHA256

Thank you very much for your reply.
Please see my comments below in the replied text:

On 1/21/2015 4:36 AM, Daniel Kahn Gillmor wrote:
> On Mon 2015-01-12 10:13:48 -0500, s7r wrote:
>> Is it possible to have one masterkey with two subkeys (sbind),
>> one for encrypt only and one for sign only, and each of them to
>> have different passphrases?
> Yes, it is possible.  with gpg 2.1, you can create new subkeys and
> give each of them a different passphrase.  I haven't tested with
> 1.4 or 2.0.
Understood. I guess this has to be done via console commands, since
the pour enigmail thundebird addon has very limited options when
creating/editing a GPG key.

I have 2 masterkeys, each with a subkey. Any way I can merge them
together so I would have one primary key and 3 subkeys?

>> Additionally, how can I select in enigmail which userID I want to
>> sign when signing a key with multiple UserIDs? I do not want to
>> sign the primary one. Enigmail just offers me the ability to
>> 'sign key', nothing said about UserID, just lets me select either
>> normal signature or local signature not exportable.
> The thing that you're signing with is a key.  it's either your
> primary key, or a signing-capable subkey.  Your User IDs are all
> associated with your primary directly (and with your subkeys
> indirectly, through the primary key).

I guess my question was not clear - sorry about it. I can see multiple
flags for the keys: Sign, Encrypt, Certify. I guess the Certify flag
matters when signing another GPG key and Sign is used for signing text?

I have the public key of John Doe <john.doe at example.com> . He has more
UserIDs associated with the same masterkey, as follows:
John Doe <john.doe at example.com>
John Smith <john.smith at foo.com>
Bob Jones <bob.jones at test.net>
Primary UserID is John Doe <john.doe at example.com>

I want to sign this key, but just to confirm the UserID John Smith
<john.smith at foo.com> and not sign/certify his other UserIDs belonging
to the same key. Is this possible?

> The OpenPGP standard defines a way to embed the preferred user ID
> in a given signature using a "signer's user ID" subpacket [0], but
> it has several drawbacks:
> * i'm not sure how to do it in GnuPG, which enigmail relies on for
> the OpenPGP parts, and
> * it's not clear what a receiving MUA should do with that
> information, even if it was present.
> So i don't think this is a feature request that makes a lot of
> sense, really.  Can you explain more what you'd hope to gain from
> such a configuration?
> --dkg
> [0] https://tools.ietf.org/html/rfc4880#section-
Version: GnuPG v2.0.22 (MingW32)


More information about the Gnupg-users mailing list