export encryption (subkey) only?

Christopher Beck beckus at beckus.eu
Mon Jan 2 20:26:20 CET 2017


Hi Lynn,


well, it is possible. There is an option for exporting only subkeys:

gpg --output secret-subkeys --export-secret-subkeys SUBKEYID!

It is important to use the exclamation mark at the end of the subkey-id!

Instead of this: how about a company-key for trust-signing the exployees
keys? Then, a custumor just hast to set the correct trust level to that
company-key (okay, might be dangerous and not everybody wants to do
this, but might be an option).

Regards

Beckus


Am 02.01.2017 um 19:27 schrieb Lou Wynn:
>
> Hi,
>
> I'm developing a key management solution for an organization. For an
> employee, I'd like to generate two keys: one for signing and the other
> for encryption. In my proposed solution, the encryption key should be
> backed up in an organizational central server for auditing purpose,
> and the signing key is only accessible to an user without being saved
> in another location. This means that I have to separate the encryption
> key from the signing key.
>
> However,  the current GPG makes the signing key the master key and the
> encryption the subkey. PGP standard seems not to allow transfer a
> single subkey (RFC4880 Section 11) because it is always preceded by
> the master key.
>
> I tried to export an encryption subkey only with GPG2, but importing
> the subkey also lists the primary key. The man page of
> --export-secret-subkeys reads:
>
>    The second form of the command has the special property to render the
>    secret  part  of  the primary key useless; this is a GNU extension to
>    OpenPGP and other implementations can not be expected to successfully
>    import  such a key.  Its intended use is to generated a full key with
>    an additional signing subkey on a dedicated machine  and  then  using
>    this  command  to  export the key without the primary key to the main
>    machine.
>
> It means that although the primary key is imported and listed, it is
> not usable.
>
> Has anyone have experience with this and been able to confirm it?
>
> I'm also thinking about making two separate master keys, and doing so
> seems to make me avoid the confusion of master-subkeys and make the
> solution more portable in different implementations.
>
> What's your opinion?
> -- 
> Thanks,
> Lou
>
>
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users

-- 
I use GnuPG (GPG) for e-mail encryption and signing. If you want some privacy, my public key ID is 2F9D4F14. The file "singature.asc" this message includes contains a cryptographic signature which enables you to verify this e-mail really was written by me.

Christopher Beck, DL1CHB

Gerhart-Hauptmann-Str. 1
91058 Erlangen
Tel.: 09131 / 9245437
Fax.: 09131 / 8148708
Jabber: beckus at jabber.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20170102/741bf09e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20170102/741bf09e/attachment.sig>


More information about the Gnupg-users mailing list