On 07/07/13 18:50, Hauke Laging wrote: > If you want to be sure you may create the mainkey without the flag for > encryption (--expert --gen-key).
The keys GnuPG creates by default have signature and certification capabilities on the primary key and encryption on a subkey. With an offline main key, it makes a lot of sense to move the signature capability to a subkey (and /not/ have it on the primary key) ... > But this would prevent you from using the mainkey as a high security key > (useful if you don't have a separate one). ... but advising to set encryption capability on the primary key goes against the advice of not using one key for both encryption and signing. Also, why not create the separate one if you don't have it? You wouldn't get the certifications that are already on the other key, but you save yourself the hassle of having multiple, active encryption-capable (sub)keys in one key and people having to select one of those. Just my 2 cents. Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at <http://digitalbrains.com/2012/openpgp-key-peter> _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users