export encryption (subkey) only?

[Lou Wynn]

Hi,

I'm developing a key management solution for an organization. For an
employee, I'd like to generate two keys: one for signing and the other
for encryption. In my proposed solution, the encryption key should be
backed up in an organizational central server for auditing purpose, and
the signing key is only accessible to an user without being saved in
another location. This means that I have to separate the encryption key
from the signing key.

However,  the current GPG makes the signing key the master key and the
encryption the subkey. PGP standard seems not to allow transfer a single
subkey (RFC4880 Section 11) because it is always preceded by the master key.

I tried to export an encryption subkey only with GPG2, but importing the
subkey also lists the primary key. The man page of
--export-secret-subkeys reads:

   The second form of the command has the special property to render the
   secret  part  of  the primary key useless; this is a GNU extension to
   OpenPGP and other implementations can not be expected to successfully
   import  such a key.  Its intended use is to generated a full key with
   an additional signing subkey on a dedicated machine  and  then  using
   this  command  to  export the key without the primary key to the main
   machine.

It means that although the primary key is imported and listed, it is not
usable.

Has anyone have experience with this and been able to confirm it?

I'm also thinking about making two separate master keys, and doing so
seems to make me avoid the confusion of master-subkeys and make the
solution more portable in different implementations.

What's your opinion?

-- 
Thanks,
Lou


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170102/87f48630/attachment.html>