GPG, subkeys smartcard and computer

Stefano Tranquillini stefano.tranquillini at
Fri Feb 17 12:31:07 CET 2017

Hi all,
I'm sort of new to GPG/PGP, I'm not new to the encryption/crypto world and
to computers, however, some concepts are yet not clear to me.

I can't get my head around on how to use GPG in the "correct" way to
guarantee the maximum result. That is: protect, at the best, my privacy and
also don't get the system too complicated.

The problems that I've are multiple, I'll try to summarize them here asking
for help. I've read the manual, but it's a bit outdated, and online I found
scattered information that does not always explain why some decision are

My ideal setup is:

   - Master generated on offline pc and stored in a cold storage
   - subkeys for the pc (main pc, that I use everyday) - i need
   (A)utenticate (E)encrypt (S)ign keys
   - subkeys for the smartcard - if I use a pc of someone else, and as
   backup for what is worth. (In the future I may switch to just the
   smartcard, removing the keys from pc, but I would like to have the keys on
   the pc for time being)
   - I would like to avoid moving the master ouside the offline pc/cold

Create the master:

I should create the master on a device that is not my primary one and that
is not online. It seems kind of freak approach to me, but I can understand
why. Once created, I backup it to a file which I store on a usb key or
somewhere outside of computers. With the master I can create, later,
subkeys for what I need and the revoke certificate in case of compromised
subkeys.  Other than the master key, do I've to export anything else (not
talking of subkeys yet, that's next topic)?

When creating the master, I've two possibility: (i) use the dafault setting
that results in a (SC) key or (ii) set it as only (C). The best solution
seems to be the second, right? (
tie-certification-with-sig). Is it worth to use that approach or, as of
today, the (i) is fine? I still don't get the full benefit of one or the
other solution

Create the subkey

With the master key I can create subkeys. I should do it from the offline
pc in which I created the key, or import the master in a pc and then create
the subkeys (it doesn't sound so safe though). Now:

   -  should each subkey be for only one scope (A) (S) (E) or is it fine if
      one key does  two or three scopes (ASE) or (SE)?
      - once subkeys are creted I've to export them and also their revoke
      certifications (do they have one)? correct?
      - I've a smartcard, but I've also a pc, should I create 6 subkeys, 2
      for A, 2 for S and 2 for E and move the 3 A S E to the yubikey and the
      other 3 to the pc?.
      - moving the keys on the smartcard is done via "keytocard" but to
      move the keys on the pc I've to export subkeys, will this export also the
      keys on the smartcard and then I'll need the smartcard to access some of
      those? how can I decide what to import where?
      - Do I've to rexport my public key or anything else to let the world
      know my subkeys?
      - Do I've to export anything else to achieve my scenario's goal?

Am I missing anything? Or is there anything that can guide me to achieving
my goals?

PS: Sorry for the long questions, but I can't find online something that
explains my scenario. Solutions are for base cases or for smart-card only.
Well, probably there's a guide, but I can't find it out.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170217/3cc03fff/attachment.html>

More information about the Gnupg-users mailing list