On Sun, 11 Jan 2015 20:55:29 -0500 Rich Freeman <ri...@gentoo.org> wrote:
> On Sun, Jan 11, 2015 at 8:34 PM, Brian Dolbec <dol...@gentoo.org> > wrote: > > I added a little more info to the First-Use wiki page, I included a > > link to a great webpage about setting up gpg keys. > > > > https://alexcabal.com/creating-the-perfect-gpg-keypair/ > > > > there are lots more, but I like that one, it is clear, concise,... > > From that site: By default GPG creates one signing subkey (your > identity) and one encryption subkey (how you receive messages intended > for you)...Use GPG to add an additional signing subkey to your > keypair. This new subkey is linked to the first signing key. Now we > have three subkeys. > > But, whatever. If we want a total of three keys in the key then I > don't really have a problem with that. I'm not sure what it buys you > other than lots of confusion about how to sign the right thing with > the right key. :) > Ok, the original text: 1. Create a regular GPG keypair. By default GPG creates one signing subkey (your identity) and one encryption subkey (how you receive messages intended for you). That looks like a slight error in the authors wording. It create one primary key with signing, authorization capability, and a one encryption sub-key. When you add a signing subkey, that subkey then becomes the default key used for signing with. If you have more than one signing subkey, the default can be set in gnupg.conf without editing the key. Otherwise you must specify which key to sign with. It is much easier to revoke that signing subkey and add a new one, without the need to create an entirely new key, losing all the key signatures it is signed with. If you revoke a primary key, all subkeys it contains are revoked as well. In that article the author describes how to generate the subkeys and remove the original (master) keypair for installation on a laptop, desktop, etc. (separate subkeys for each machine) which may be stolen. You keep the original(master) keypair in a secure location (eg: bank safe deposit box, etc.) If the laptop is stolen, the thieves do not have access to modify the gpg keys (even if they have the password), and those specific subkeys can be easily revoked, without losing your entire gpg key and the signatures it has accumulated. Using your master keypair you generate new subkeys for installation on your replacement laptop, and continue... -- Brian Dolbec <dolsen>
