Michal Čihař - Using PGP subkeys for signing

Using PGP subkeys for signing

For quite some time, I wanted to use subkeys for signing at some places where I do not want to have my certification key stored, however I trust this location enough to have signing key available. I knew it should be possible with subkeys, however I never found time to look at it.

First I needed to add new subkey which will be used for signing:

gpg --edit-key 42B7511D
> addkey

Now choose 4 (RSA for signing) and wait until new key is created.

The only remaining step is to transfer subkeys to the other location:

gpg --export-secret-subkeys 42B7511D > /tmp/key-sub.gpg
scp /tmp/key-sub.gpg other.place:

Import them there and deleting any unwanted (eg. encryption) subkeys:

gpg --import key-sub.gpg
gpg --edit 42B7511D
> key 1
> delkey

And it's done ... much easier than I expected :-).


wrote on Sept. 29, 2010, 2:16 p.m.

Hmm. Do I understand you right? other.place is the host which you don't trust? But you copy a subkey there to edit it THERE afterwards? Not a very good idea on an untrusted location, if you ask me.

wrote on Sept. 29, 2010, 2:26 p.m.

Well it's not that untrusted :-). If I would not trust the system at all I would not give any key there. I just don't want to have full key here, as it is slightly more risky environment than usual (or maybe I'm just too paranoid).

New Comment

Due to excessive spam, new comments are disabled. If you have some feedback on this post, please send me email or followup on Twitter or Facebook.