Configuration for offline usage - best practice tips?

Werner Koch wk at
Wed Feb 28 15:49:44 CET 2018

On Fri, 23 Feb 2018 23:08, jc.gnupg18a at said:

> Yes, that's what I plan to do, generate a subkey for each month in advance
> and use this to encrypt my backups.

That raises the question for us whether it will make sense to change

  --quick-add-key fpr [algo [usage [expire]]]

to add new parameter "creationdate" to make it easier to create keys for
future periods.  The parameter controlled batch key generation already
allows for this.

Background: gpg will not consider a future encryption subkey so that
keys for the next period can instantly be distributed.

> these keys. That is, if I have to restore certain files from a backup, and
> the machine where the decryption happens might be compromised, I don't want
> all backups to be compromised in a single step. 

You may also want to look into gpg-agent remote feature which is
designed to protect your private key during restore operations.  Here is
an older description:


You don't need to use smartcards and the extra socket is meanwhile by
default configured.



#  Please read:  Daniel Ellsberg - The Doomsday Machine  #
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list