Making a subkey a standalone Master key

Stefan Claas sac at
Tue Apr 21 19:32:11 CEST 2020

Andrew Gallagher wrote:

> On 21/04/2020 11:40, Romain Lebrun Thauront via Gnupg-users wrote:
> > I'm using a web mailer called ProtonMail which offer in-browser
> > cryptography. For that I have to upload some encrypted secret key with
> > signing and encrypting capabilities to their servers. But their software
> > wont accept that I upload only the "secret subkeys" keys, without the
> > "secret master key" key.
> This is a potentially interesting hack. I don't see any reason in
> principle why you can't construct such a key, since the mathematics of
> keys and subkeys is identical.
> But there is a big wrinkle coming, and that is how such a mangled key
> would be understood in practice. If someone were to send you a mail
> encrypted to your "real" key, would Protonmail understand that it has
> the correct key material available to decrypt it? After all, the "fake"
> key that Protonmail knows would have a different (primary) fingerprint
> from the one your correspondent used to encrypt. It might be possible
> IFF protonmail tests only the fingerprint of the encryption subkey and
> ignores that of the primary, but that would be an implementation detail.
> If you do get it to work though, I would be very interested in your
> method. :-)

I have just checked my pub key, I created there a month ago, for testing
purposes, of this account.

What would happen if one creates a master key with only signing capabilities
and no certification capablities? And then create a second key pair with
the proper master key and try to combine those with what skeeto once mentioned
with his pgp key-poisoner, i.e. that it is possible to bind sub keys to someone
elses pub key?

Because Protomail only uses the encryption sub key, with a different fingerprint
it should not matter, right? I see there no problem if the submitted Master key
there has a different fingerprint and only signing capabilities.

Maybe worth a try.


Signal (Desktop) +4915172173279

More information about the Gnupg-users mailing list