GPG subkeys

One raccomandation for OpenPGP usage is to have a master key that is only used to sign other keys and keep a subkey for daily usage.

The procedure to create such a key, including the steps to store the master key in a safe place and keep just the subkeys on your main keyring, is described in the guide to subkeys creation on the Debian wiki, but there are no informations on further maintenance.

Create a new subkey

One common raccomandation is to let the signing subkey expire and periodically create a new one; when doing so you may have to work around some issues with subkey importing.

At first, create a new key as described in the guide:

  • mount your USB drive and set it as the gnupg home: export GNUPGHOME=/media/yourdrive.
  • gpg --edit-key YOURMASTERKEYID.
  • At the gpg> prompt: addkey.
  • Type your passphrase.
  • Choose RSA (sign only).
  • Choose your key size (4096 recommended, unless you want to store it on a smartcard).
  • Choose an expiry date.
  • Wait for gpg to get enought entropy and create the key.
  • Save the key save.

Ideally, now you would only export the newly created secret subkey to import it in your daily keyring, but up to version 2.0.26 this is not working, so you have to export all of the subkeys as well as the updated public key:

  • gpg --export --armor YOURMASTERKEYID > pubkeys
  • gpg --list-secret-keys YOURMASTERKEYID
  • gpg --export-secret-subkeys SUBKEYID1! .. SUBKEYIDn! > subkeys (remember to list all of the subkeys, but not the master key).

The ! tells gnupg to use the subkeyid verbatim instead of trying to find a corresponding master key

You can now unmount your USB drive, restore your regular gnupg home export GNUPGHOME=~/.gnupg, and then you are ready to import your new key in your regular keyring.

  • Double check that you are working in the right gnupg home: run gpg --list-secret-keys YOURMASTERKEYID and check that it's only showing your old subkeys.
  • Delete your private key: gpg --delete-secret-key YOURMASTERKEYID.
  • Import back the private subkeys you have exported, and the updated public key: gpg --import pubkeys subkeys.
  • Check with gpg --list-secret-keys YOURMASTERKEYID that you have all of the subkeys and that the master key shows sec# instead of just sec.

You can now start using your new subkey, publish it on the keyservers, etc.

Send a comment: unless requested otherwise I may add it, or some extract, to this page.

Return to Top