export encryption (subkey) only?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jan 3 15:05:19 CET 2017 

On Mon 2017-01-02 13:27:35 -0500, Lou Wynn wrote:
> I tried to export an encryption subkey only with GPG2, but importing the
> subkey also lists the primary key. The man page of
> --export-secret-subkeys reads:
>
>    The second form of the command has the special property to render the
>    secret  part  of  the primary key useless; this is a GNU extension to
>    OpenPGP and other implementations can not be expected to successfully
>    import  such a key.  Its intended use is to generated a full key with
>    an additional signing subkey on a dedicated machine  and  then  using
>    this  command  to  export the key without the primary key to the main
>    machine.
>
> It means that although the primary key is imported and listed, it is not
> usable.
>
> Has anyone have experience with this and been able to confirm it?

yes, the documentation is correct.  When using export-secret-subkeys,
the primary key is exported with a stripped set of secret key
parameters, so it is importable, but not usable.

If you want to inspect this to ensure it's correct, you can look at the
exported transferable secret key with gpg --list-packets (which will
show the stripped secret key material as using "gnu-dummy S2K") or
pgpdump (which will show the stripped secret key material as "GnuPG
gnu-dummy (s2k 1001)").

> I'm also thinking about making two separate master keys, and doing so
> seems to make me avoid the confusion of master-subkeys and make the
> solution more portable in different implementations.

While this might be marginally more usable by some of your
organization's staff, it sounds significantly more complicated and
confusing to the external parties who your staff is going to talk to.

You should stick with a single public certificate per user (containing
the two keys that you describe) so that your users' correspondents don't
have to juggle multiple keys per person they communicate with.

     --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: </pipermail/attachments/20170103/0770b7b9/attachment.sig>

More information about the Gnupg-users mailing list