different passwords for subkeys of the same masterkey

Werner Koch wk at gnupg.org
Wed Jan 21 16:34:56 CET 2015 

On Wed, 21 Jan 2015 11:58, s7r at sky-ip.org said:

> I have 2 masterkeys, each with a subkey. Any way I can merge them
> together so I would have one primary key and 3 subkeys?

With < 2.1 this is quite some work.  With 2.1 it is easier.  Here is an
example.  First list the key with the subkey you want to copy:

--8<---------------cut here---------------start------------->8---
   $ gpg -K --with-keygrip 13
   sec   rsa2048/F72E9C69 2015-01-21
         Keygrip = ED60EEB08BEA7EFF7DD9E177576BA748CD65A932
   uid       [ unknown] Test user 13
   ssb   rsa2048/3CA551D2 2015-01-21
         Keygrip = B511C4A66607FC68CDD382BC8A5024AED8BBE89F
--8<---------------cut here---------------end--------------->8---
   
Then edit the other key:
   
--8<---------------cut here---------------start------------->8---
   $ gpg --edit-key 12
   Secret key is available.
   
   pub  rsa2048/002D4B6C
        created: 2015-01-21  expires: never       usage: SC  
        trust: ultimate      validity: unknown
   sub  rsa2048/0C099D87
        created: 2015-01-21  expires: never       usage: E   
   [ unknown] (1). Test user 12
--8<---------------cut here---------------end--------------->8---

Now enter the addkey command and select "Existing key"
   
--8<---------------cut here---------------start------------->8---
   gpg> addkey
   Please select what kind of key you want:
      (3) DSA (sign only)
      (4) RSA (sign only)
      (5) Elgamal (encrypt only)
      (6) RSA (encrypt only)
      (7) DSA (set your own capabilities)
      (8) RSA (set your own capabilities)
     (10) ECC (sign only)
     (11) ECC (set your own capabilities)
     (12) ECC (encrypt only)
     (13) Existing key
   Your selection? 13
   Enter the keygrip: B511C4A66607FC68CDD382BC8A5024AED8BBE89F
--8<---------------cut here---------------end--------------->8---

The keygrip you entered is the one from the subkey.  Now gpg-agent does
not store the key flags - you have set them yourself:
   
--8<---------------cut here---------------start------------->8---
   Possible actions for a RSA key: Sign Encrypt Authenticate 
   Current allowed actions: Sign Encrypt 
   
      (S) Toggle the sign capability
      (E) Toggle the encrypt capability
      (A) Toggle the authenticate capability
      (Q) Finished
   
   Your selection? s
   
   Possible actions for a RSA key: Sign Encrypt Authenticate 
   Current allowed actions: Encrypt 
   
      (S) Toggle the sign capability
      (E) Toggle the encrypt capability
      (A) Toggle the authenticate capability
      (Q) Finished
   
   Your selection? q
   Please specify how long the key should be valid.
            0 = key does not expire
         <n>  = key expires in n days
         <n>w = key expires in n weeks
         <n>m = key expires in n months
         <n>y = key expires in n years
   Key is valid for? (0) 
   Key does not expire at all
   Is this correct? (y/N) y
   Really create? (y/N) y
   
   pub  rsa2048/002D4B6C
        created: 2015-01-21  expires: never       usage: SC  
        trust: ultimate      validity: unknown
   sub  rsa2048/0C099D87
        created: 2015-01-21  expires: never       usage: E   
   sub  rsa2048/B348AB71
        created: 2015-01-21  expires: never       usage: E   
   [ unknown] (1). Test user 12
   
   gpg> save
--8<---------------cut here---------------end--------------->8---

After the "save" command you are done.  Now check what happened:
   
--8<---------------cut here---------------start------------->8---
   $ gpg -K --with-keygrip 12 13                    
   sec   rsa2048/002D4B6C 2015-01-21
         Keygrip = 1CEAA2DB62271554D78F62CC9B0F1DBB261A059C
   uid       [ unknown] Test user 12
   ssb   rsa2048/0C099D87 2015-01-21
         Keygrip = 80142CB717FABD2924F8B27B37779FF557B82D38
   ssb   rsa2048/B348AB71 2015-01-21
         Keygrip = B511C4A66607FC68CDD382BC8A5024AED8BBE89F
   
   sec   rsa2048/F72E9C69 2015-01-21
         Keygrip = ED60EEB08BEA7EFF7DD9E177576BA748CD65A932
   uid       [ unknown] Test user 13
   ssb   rsa2048/3CA551D2 2015-01-21
         Keygrip = B511C4A66607FC68CDD382BC8A5024AED8BBE89F
   

--8<---------------cut here---------------end--------------->8---

The key of test user 12 now has an additional subkey and that subkey is
the same as the subkey from key 13 (compare the keygrips).

Note that the keyids are still different.  The reasons for this is that
the key id also depends on the creation date.  To fix this you could
have figured out the full creation time of the key (using --with-colons)
and invoked gpg like

  gpg --faked-system-time 20150121T123456 --edit-key 12


> flags for the keys: Sign, Encrypt, Certify. I guess the Certify flag
> matters when signing another GPG key and Sign is used for signing text?

It is basically ignored.  Only the primary key can be used to sign
(certify) user ids or subkeys.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-users mailing list