export encryption (subkey) only?
Lou Wynn
lewisurn at gmail.com
Mon Jan 2 19:27:35 CET 2017
Hi,
I'm developing a key management solution for an organization. For an
employee, I'd like to generate two keys: one for signing and the other
for encryption. In my proposed solution, the encryption key should be
backed up in an organizational central server for auditing purpose, and
the signing key is only accessible to an user without being saved in
another location. This means that I have to separate the encryption key
from the signing key.
However, the current GPG makes the signing key the master key and the
encryption the subkey. PGP standard seems not to allow transfer a single
subkey (RFC4880 Section 11) because it is always preceded by the master key.
I tried to export an encryption subkey only with GPG2, but importing the
subkey also lists the primary key. The man page of
--export-secret-subkeys reads:
The second form of the command has the special property to render the
secret part of the primary key useless; this is a GNU extension to
OpenPGP and other implementations can not be expected to successfully
import such a key. Its intended use is to generated a full key with
an additional signing subkey on a dedicated machine and then using
this command to export the key without the primary key to the main
machine.
It means that although the primary key is imported and listed, it is not
usable.
Has anyone have experience with this and been able to confirm it?
I'm also thinking about making two separate master keys, and doing so
seems to make me avoid the confusion of master-subkeys and make the
solution more portable in different implementations.
What's your opinion?
--
Thanks,
Lou
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170102/87f48630/attachment.html>
More information about the Gnupg-users
mailing list