Keyring management with multiple smart cards

Louis Opter louis at
Fri Dec 14 23:37:26 CET 2018


I have a certify-only master keypair in an air-gapped machine. I only
use that machine to create subkeys and sign other people keys. The
subkeys are copied onto smartcards which I use in daily life.

Assuming that smartcards aren't indestructible and can be lost I always
have a backup smartcard handy. Because you can't really share a subkey
with multiple smartcards [1], I took the approach of generating subkeys
for each smartcard. This means that I have multiple sign/enc/auth
subkeys that are used in lockstep, but I have a single $GNUPGHOME and
it is really easy for me to use any of my smartcards: data that I care
about is encrypted for all the smartcards and all the smartcards are
authorized for ssh logins.

On the other hand, having multiple sign subkeys doesn't really make
sense to publish data (e.g: software releases). Moreover my ring of enc
subkeys is not useable for people who are trying to communicate with me:
it's not really reasonable to ask people to encrypt data for all my
subkeys, and GPG is designed to use the most recent key for the
requested (sign/enc/auth) usage anyway.

To alleviate that problem I was wondering if it was possible to create
another sign/enc subkey and publish (to keyservers) that subkey only?
(along with my master public key of course).

In other words I would have two views of the same keyring: one with all
my subkeys for my own use with my smartcards, and one for use by other
people with only my master key and my sign/enc subkey so that there is
no ambiguity on the subkey to use when communicating with me or
verifying my signatures.

I hope this intelligible and I am curious about how other people
approached that problem.

Thank you & have a nice week-end,


Louis Oper

More information about the Gnupg-users mailing list