Making a subkey a standalone Master key

Romain Lebrun Thauront romain.lebrun-thauront at protonmail.com
Tue Apr 21 12:40:49 CEST 2020


Hi folks,

[Problem] :

I'm generating myself a brand new pgp master key and I'd like it to have
this structure :

A first .gnupg folder with :
sec     ed25519 1876-02-10 [SC]
          AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
uid     [ultimate] Romain Lebrun Thauront
ssb     ed25519 2020-04-21 [S] [expires: 2021-01-01]
          BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
ssb     cv25519 2020-04-21 [E] [expires: 2021-01-01]
          CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

A second .gnupg folder (let say .gnupg_copy) with :
sec     ed25519 2020-04-21 [SC] [expires: 2021-01-01]
          BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
uid     [ultimate] Romain Lebrun Thauront
ssb     cv25519 2020-04-21 [E] [expires: 2021-01-01]
          CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

Where the BBBB and CCCC keys are the same in the two folders, but BBBB
is in one case a signing subkey and on the other a standalone Master key.

I do not find how to achieve that by myself, does anyone have an idea ?
I don't care if the problem is solve one way or the other. (generating
the first config and transforming a subkey into a master key OR
generating the second config and transforming a master key into a
signing subkey of another master key)

[\Problem]

[Context] :

Reading that isn't necessary for giving a purely technical answer, but
if you are curious then go on.

I'm using a web mailer called ProtonMail which offer in-browser
cryptography. For that I have to upload some encrypted secret key with
signing and encrypting capabilities to their servers. But their software
wont accept that I upload only the "secret subkeys" keys, without the
"secret master key" key. I mean, something like that is refuse :

sec#   ed25519 1876-02-10 [SC]  (The difference is the # here, meaning I
do not upload the secret master key)
          AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
uid     [ultimate] Romain Lebrun Thauront
ssb     ed25519 2020-04-21 [S] [expires: 2021-01-01]
          BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB
ssb     cv25519 2020-04-21 [E] [expires: 2021-01-01]
          CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC

As I want to keep my secret master key, offline, off my computer, on an
encrypted usb, on a chest, on the deep Caribbean see, kept by three
infamous sharks, the setup describe on the above section would be a
great workaround : I'll use config one (my rolling subkeys as subkeys)
on my other mailer and I will advertise them like that to my contacts an
keyservers. I'll upload the second config (my rolling subkeys as a
Master key) to ProtonMail servers each time I roll keys.

[\Context]

As an ed25565 keypair is an ed25565 keypair, wether it is used as master
key or subkey, I think that should be theoretically possible, at least
by modifying the binaries of the key files. But their should be an
easier solution, right ?

Best,
RLT

P.S.: sorry for grammatical incorrectness, not my native language





More information about the Gnupg-users mailing list