Hi Lynn,
well, it is possible. There is an option for exporting only subkeys: gpg --output secret-subkeys --export-secret-subkeys SUBKEYID! It is important to use the exclamation mark at the end of the subkey-id! Instead of this: how about a company-key for trust-signing the exployees keys? Then, a custumor just hast to set the correct trust level to that company-key (okay, might be dangerous and not everybody wants to do this, but might be an option). Regards Beckus Am 02.01.2017 um 19:27 schrieb Lou Wynn: > > Hi, > > I'm developing a key management solution for an organization. For an > employee, I'd like to generate two keys: one for signing and the other > for encryption. In my proposed solution, the encryption key should be > backed up in an organizational central server for auditing purpose, > and the signing key is only accessible to an user without being saved > in another location. This means that I have to separate the encryption > key from the signing key. > > However, the current GPG makes the signing key the master key and the > encryption the subkey. PGP standard seems not to allow transfer a > single subkey (RFC4880 Section 11) because it is always preceded by > the master key. > > I tried to export an encryption subkey only with GPG2, but importing > the subkey also lists the primary key. The man page of > --export-secret-subkeys reads: > > The second form of the command has the special property to render the > secret part of the primary key useless; this is a GNU extension to > OpenPGP and other implementations can not be expected to successfully > import such a key. Its intended use is to generated a full key with > an additional signing subkey on a dedicated machine and then using > this command to export the key without the primary key to the main > machine. > > It means that although the primary key is imported and listed, it is > not usable. > > Has anyone have experience with this and been able to confirm it? > > I'm also thinking about making two separate master keys, and doing so > seems to make me avoid the confusion of master-subkeys and make the > solution more portable in different implementations. > > What's your opinion? > -- > Thanks, > Lou > > > > > _______________________________________________ > Gnupg-users mailing list > [email protected] > http://lists.gnupg.org/mailman/listinfo/gnupg-users -- I use GnuPG (GPG) for e-mail encryption and signing. If you want some privacy, my public key ID is 2F9D4F14. The file "singature.asc" this message includes contains a cryptographic signature which enables you to verify this e-mail really was written by me. Christopher Beck, DL1CHB Gerhart-Hauptmann-Str. 1 91058 Erlangen Tel.: 09131 / 9245437 Fax.: 09131 / 8148708 Jabber: [email protected]
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
