Master Key Best Practice with SmartCard

Andrew Gallagher andrewg at
Mon Jan 25 14:55:26 CET 2016

On 25/01/16 10:08, Antoine Michard wrote:
> So I thinking what is the best to do next:
> - Delete my useless first subkey encryption from my keyring and send
> update to key server.

Once you've published a subkey it stays published. Deleting a previously
published subkey only removes it from your local machine. It won't stop
others from finding it on the keyservers and trying to use it.

If you want to explicitly mark a subkey as "do not use" (but you do not
believe that it has been compromised), then give it an expiration date
of yesterday and republish. There's no particular reason to delete your
local copy of the subkey (and there may be very good reasons not to,
e.g. old encrypted data).

NB expiration can be undone, but revocation cannot.

(Remembering our previous conversation, you may instead want to expire
your smartcard encryption subkey, and copy the other encryption subkey
to the smartcard - but only if you have made a decrypted copy of all
your sensitive data first.)

> - Recreate a new master key with only cert role and create all my subkey
> (S E A) and copy it to my Smart Card.

If there's nothing wrong with your primary key there's no need to make a
new one. I personally don't think having an extra usage flag counts as
sufficiently "wrong" (so long as it's not "E"!). It may not be neat and
tidy, but modern implementations should happily verify/auth against
multiple subkeys. My current primary key has S,C,A usage and the S,A
subkeys haven't caused me any issues so far.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160125/462ea7d6/attachment.sig>

More information about the Gnupg-users mailing list