This topic is not yet solved for me, sorry for the long inactivity... I tried the following approach which is inspired by the debian hints [1][2]. [1] http://keyring.debian.org/creating-key.html [2] http://wiki.debian.org/subkeys
# preparing clean environment for testing $ mkdir /data/tmp/todel/gpghome-todelete $ export GNUPGHOME=/data/tmp/todel/gpghome-todelete $ gpg2 -k gpg: keyring `/data/tmp/todel/gpghome-todelete/pubring.gpg' created gpg: /data/tmp/todel/gpghome-todelete/trustdb.gpg: trustdb created $ gpg2 -K gpg: keyring `/data/tmp/todel/gpghome-todelete/secring.gpg' created # create a sign only key first, and then add another sign key and another encryption key $ gpg2 --gen-key gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 3 DSA keys may be between 1024 and 3072 bits long. What keysize do you want? (2048) 3072 Requested keysize is 3072 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 2y Key expires at 2015-07-26T01:51:16 CEST Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Test Key Email address: Comment: You selected this USER-ID: "Test Key" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. gpg: problem with the agent: Not implemented // * what does/should this tell me? * // We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size gpg: key CDFD0D80 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2015-07-25 pub 3072D/CDFD0D80 2013-07-25 [expires: 2015-07-25] Key fingerprint = 6FF6 3569 1EEC F4D7 6D33 5B4F 8F37 FCE1 CDFD 0D80 uid Test Key Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose. $ gpg2 --edit-key CDFD0D80 gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 3072D/CDFD0D80 created: 2013-07-25 expires: 2015-07-25 usage: SC trust: ultimate validity: ultimate [ultimate] (1). Test Key Command> addkey Key is protected. You need a passphrase to unlock the secret key for user: "Test Key" 3072-bit DSA key, ID CDFD0D80, created 2013-07-25 Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) Your selection? 5 ELG keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 2w Key expires at 2013-08-09T01:54:07 CEST Is this correct? (y/N) y Really create? (y/N) y gpg: problem with the agent: Not implemented We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. pub 3072D/CDFD0D80 created: 2013-07-25 expires: 2015-07-25 usage: SC trust: ultimate validity: ultimate sub 4096g/52C7F578 created: 2013-07-25 expires: 2013-08-08 usage: E [ultimate] (1). Test Key Command> addkey Key is protected. You need a passphrase to unlock the secret key for user: "Test Key" 3072-bit DSA key, ID CDFD0D80, created 2013-07-25 Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) Your selection? 3 DSA keys may be between 1024 and 3072 bits long. What keysize do you want? (2048) 3072 Requested keysize is 3072 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 20d Key expires at 2013-08-15T01:56:58 CEST Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size pub 3072D/CDFD0D80 created: 2013-07-25 expires: 2015-07-25 usage: SC trust: ultimate validity: ultimate sub 4096g/52C7F578 created: 2013-07-25 expires: 2013-08-08 usage: E sub 3072D/FC9E4EAC created: 2013-07-25 expires: 2013-08-14 usage: S [ultimate] (1). Test Key Command> save # basically following the debian-instructions here # in real life, here could happen a change from offline to online environment $ gpg2 --export CDFD0D80 > testkey.pub $ gpg2 --export-secret-keys CDFD0D80 > testkey.prv $ gpg2 --export-secret-subkeys 52C7F578! FC9E4EAC! > testkey.sub $ gpg2 --delete-secret-keys CDFD0D80 gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. sec 3072D/CDFD0D80 2013-07-25 Test Key Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y # deletion has worked $ gpg2 -k /data/tmp/todel/gpghome-todelete/pubring.gpg -------------------------------------------- pub 3072D/CDFD0D80 2013-07-25 [expires: 2015-07-25] uid Test Key sub 4096g/52C7F578 2013-07-25 [expires: 2013-08-08] sub 3072D/FC9E4EAC 2013-07-25 [expires: 2013-08-14] $ gpg2 -K # importing also successful $ gpg2 --import testkey.pub testkey.sub gpg: key CDFD0D80: "Test Key" not changed gpg: key CDFD0D80: secret key imported gpg: key CDFD0D80: "Test Key" not changed gpg: Total number processed: 2 gpg: unchanged: 2 gpg: secret keys read: 1 gpg: secret keys imported: 1 $ gpg2 -k /data/tmp/todel/gpghome-todelete/pubring.gpg -------------------------------------------- pub 3072D/CDFD0D80 2013-07-25 [expires: 2015-07-25] uid Test Key sub 4096g/52C7F578 2013-07-25 [expires: 2013-08-08] sub 3072D/FC9E4EAC 2013-07-25 [expires: 2013-08-14] $ gpg2 -K /data/tmp/todel/gpghome-todelete/secring.gpg -------------------------------------------- sec# 3072D/CDFD0D80 2013-07-25 [expires: 2015-07-25] uid Test Key ssb 4096g/52C7F578 2013-07-25 ssb 3072D/FC9E4EAC 2013-07-25 # now check whether thunderbird+enigmail works $ thunderbird $ #in thunderbird+enigmail I choose "0xCDFD0D80" for an email account $ #(1) in compose window I select "OpenPGP/sign" $ # and I have to enter the passphrase for "FC9E4EAC" $ # email gets sent and arrives with $ # "Good signature from Test Key \\Key ID: 0xCDFD0D80" $ #(2) new email: this time check "OpenPGP/encrypt" $ # and I get an OpenPGP Alert: $ # "Send operation aborted. \\INV_RECP 0 0x782B2A766EE19DE0" $ # email is not sent - What does this last alert tell me? - Does this approach make sense? (I'm thinking on the suggested --expert --gen-key option, for example) - How to add support for other email addresses but the same master key? Creating sign/encrypt keys for each account? - Additionally, something that I don't understand (or at least expected differently) is that I only had to type the master key's passphrase. What I want (if possible) is a long passphrase for the master key, and a shorter passphrase for the subkeys (for convenience in daily use, etc). What am I doing wrong or misunderstand? Thanks for your help, -- atair _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users