Restructure Keys.

Raghav Gururajan rg at raghavgururajan.name
Wed Jun 5 19:06:54 CEST 2024


Hello Folks!

How do I restructure my keys from current/old setup to new setup?

Current/Old Setup:
PrimaryKey - CS
SubKey - E

New Setup:
PrimaryKey - C
SubKey1 - E
Subkey2 - S

I think of two options.

Option 1:
Create new SubKey with E-only and change usage of PrimaryKey to C-only.
The major caveat is I'll have to update the fingerprint of signing key 
at multiple places.

Option 2:
Create new PrimaryKey with C-only and add the OldPrimaryKey+OldSubKey as 
SubKeys.
I came across this option in this post, 
https://security.stackexchange.com/questions/32935/migrating-gpg-master-keys-as-subkeys-to-new-master-key
This way, I don't have to update my signing key fingerprint at multiple 
places and continue using same signing key for consistency.

Is Option 2 safe to do so?

I tried something else (Option 3?) that is close to Option 2. I created 
new PrimaryKey with C-only. Then by editing new PrimaryKey, I did 
'addkey' with the option 'Existing key' and used the keygrip of old 
PrimaryKey. The new PrimaryKey now has the old PrimaryKey as its SubKey. 
While the migrated key has same keygrip at both places, the fingerprint 
differs, which is a bummer (caveat of Option 1).

Thoughts?

Regards,
Raghav "RG" Gururajan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20240605/9a06779d/attachment-0001.sig>


More information about the Gnupg-users mailing list