Migrating key to smartcard

Damien Goutte-Gattat dgouttegattat at incenp.org
Wed Jul 6 10:25:58 CEST 2016

On 07/05/2016 09:27 PM, Karol Babioch wrote:
>> No, only the master key can sign other keys.
> Is this a limitation of GPG and my premises or is this something
> inherent to the OpenPGP standard?

According to the standard, any key with the "Certify" flag set can be 
used to sign other keys. And unless I'm mistaken, the standard does not 
explicitly restrict this flag to master keys only.

So, I guess it should be possible (at least in theory) to have a subkey 
with this flag, and to use it to sign other keys. But I don't think 
GnuPG allows to do that (or any other OpenPGP implementation).

> Storing the master key offline and having to import it whenever I want
> to sign other keys might actually decrease security, since it offers
> enough of a possiblity to mess things up

True enough. In my case, I try to minimize the risk of human error by 
using a script which automatically brings the key online (from its 
offline USB storage), executes a single GnuPG command, then remove the 
key again.

If you are interested, I've written a blog post [1] in which I give an 
example of such a script.



[1] https://incenp.org/notes/2015/using-an-offline-gnupg-master-key.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20160706/f3e9bf45/attachment.sig>

More information about the Gnupg-users mailing list