On 12/12/10 8:03 AM, David Shaw wrote: > > GPG has an option to create a special key like this. Basically, > after you make your backup copy, run: > > gpg --export-secret-subkeys (thekey) > my-subkeys-only.gpg > > Then delete the real secret key (make sure you have a backup!): > > gpg --delete-secret-key (thekey) > > And import the special no-primary-key version: > > gpg --import my-subkeys-only.gpg
Awesome, thanks. > The key will then work just like any other key, except that it can't > sign other keys, and it can't make more subkeys (since you need the > primary to do that). The only visible difference is a "#" sign > after the "sec" when you --list-secret-keys. Cool. What difference (if any) does this make to the generation/export of the public key? And, more to the point, is it best to provide a public key block generated without the presence of the primary key or not? > If your subkeys are compromised, or you need a new subkey, or want > to sign someone elses key, you bring back your backed up copy of the > full key, do what you need to do, and then go back to the > no-primary-key version. Cool. Now that I think about it, anyone needing to check a signature one added to their key would need a public key that included data from the primary key. Did I just answer my own question? Regards, Ben
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
