Michal Čihař - Using PGP subkeys for signing

Using PGP subkeys for signing

For quite some time, I wanted to use subkeys for signing at some places where I do not want to have my certification key stored, however I trust this location enough to have signing key available. I knew it should be possible with subkeys, however I never found time to look at it.

First I needed to add new subkey which will be used for signing:

gpg --edit-key 42B7511D
> addkey

Now choose 4 (RSA for signing) and wait until new key is created.

The only remaining step is to transfer subkeys to the other location:

gpg --export-secret-subkeys 42B7511D > /tmp/key-sub.gpg
scp /tmp/key-sub.gpg other.place:

Import them there and deleting any unwanted (eg. encryption) subkeys:

gpg --import key-sub.gpg
gpg --edit 42B7511D
> key 1
> delkey

And it's done ... much easier than I expected :-).


wrote on Sept. 29, 2010, 4:16 p.m.

Hmm. Do I understand you right? other.place is the host which you don't trust? But you copy a subkey there to edit it THERE afterwards? Not a very good idea on an untrusted location, if you ask me.

wrote on Sept. 29, 2010, 4:26 p.m.

Well it's not that untrusted :-). If I would not trust the system at all I would not give any key there. I just don't want to have full key here, as it is slightly more risky environment than usual (or maybe I'm just too paranoid).