This topic is not yet solved for me, sorry for the long inactivity...
I tried the following approach which is inspired by the debian hints [1][2].
[1] http://keyring.debian.org/creating-key.html
[2] http://wiki.debian.org/subkeys
# preparing clean environment for testing
$ mkdir /data/tmp/todel/gpghome-todelete
$ export GNUPGHOME=/data/tmp/todel/gpghome-todelete
$ gpg2 -k
gpg: keyring `/data/tmp/todel/gpghome-todelete/pubring.gpg' created
gpg: /data/tmp/todel/gpghome-todelete/trustdb.gpg: trustdb created
$ gpg2 -K
gpg: keyring `/data/tmp/todel/gpghome-todelete/secring.gpg' created
# create a sign only key first, and then add another sign key and
another encryption key
$ gpg2 --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 3072
Requested keysize is 3072 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at 2015-07-26T01:51:16 CEST
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Test Key
Email address:
Comment:
You selected this USER-ID:
"Test Key"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
gpg: problem with the agent: Not implemented
// * what does/should this tell me? * //
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size
gpg: key CDFD0D80 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2015-07-25
pub 3072D/CDFD0D80 2013-07-25 [expires: 2015-07-25]
Key fingerprint = 6FF6 3569 1EEC F4D7 6D33 5B4F 8F37 FCE1 CDFD 0D80
uid Test Key
Note that this key cannot be used for encryption. You may want to use
the command "--edit-key" to generate a subkey for this purpose.
$ gpg2 --edit-key CDFD0D80
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
pub 3072D/CDFD0D80 created: 2013-07-25 expires: 2015-07-25 usage: SC
trust: ultimate validity: ultimate
[ultimate] (1). Test Key
Command> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Test Key"
3072-bit DSA key, ID CDFD0D80, created 2013-07-25
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 5
ELG keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2w
Key expires at 2013-08-09T01:54:07 CEST
Is this correct? (y/N) y
Really create? (y/N) y
gpg: problem with the agent: Not implemented
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
pub 3072D/CDFD0D80 created: 2013-07-25 expires: 2015-07-25 usage: SC
trust: ultimate validity: ultimate
sub 4096g/52C7F578 created: 2013-07-25 expires: 2013-08-08 usage: E
[ultimate] (1). Test Key
Command> addkey
Key is protected.
You need a passphrase to unlock the secret key for
user: "Test Key"
3072-bit DSA key, ID CDFD0D80, created 2013-07-25
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
Your selection? 3
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 3072
Requested keysize is 3072 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 20d
Key expires at 2013-08-15T01:56:58 CEST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size
pub 3072D/CDFD0D80 created: 2013-07-25 expires: 2015-07-25 usage: SC
trust: ultimate validity: ultimate
sub 4096g/52C7F578 created: 2013-07-25 expires: 2013-08-08 usage: E
sub 3072D/FC9E4EAC created: 2013-07-25 expires: 2013-08-14 usage: S
[ultimate] (1). Test Key
Command> save
# basically following the debian-instructions here
# in real life, here could happen a change from offline to online environment
$ gpg2 --export CDFD0D80 > testkey.pub
$ gpg2 --export-secret-keys CDFD0D80 > testkey.prv
$ gpg2 --export-secret-subkeys 52C7F578! FC9E4EAC! > testkey.sub
$ gpg2 --delete-secret-keys CDFD0D80
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec 3072D/CDFD0D80 2013-07-25 Test Key
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
# deletion has worked
$ gpg2 -k
/data/tmp/todel/gpghome-todelete/pubring.gpg
--------------------------------------------
pub 3072D/CDFD0D80 2013-07-25 [expires: 2015-07-25]
uid Test Key
sub 4096g/52C7F578 2013-07-25 [expires: 2013-08-08]
sub 3072D/FC9E4EAC 2013-07-25 [expires: 2013-08-14]
$ gpg2 -K
# importing also successful
$ gpg2 --import testkey.pub testkey.sub
gpg: key CDFD0D80: "Test Key" not changed
gpg: key CDFD0D80: secret key imported
gpg: key CDFD0D80: "Test Key" not changed
gpg: Total number processed: 2
gpg: unchanged: 2
gpg: secret keys read: 1
gpg: secret keys imported: 1
$ gpg2 -k
/data/tmp/todel/gpghome-todelete/pubring.gpg
--------------------------------------------
pub 3072D/CDFD0D80 2013-07-25 [expires: 2015-07-25]
uid Test Key
sub 4096g/52C7F578 2013-07-25 [expires: 2013-08-08]
sub 3072D/FC9E4EAC 2013-07-25 [expires: 2013-08-14]
$ gpg2 -K
/data/tmp/todel/gpghome-todelete/secring.gpg
--------------------------------------------
sec# 3072D/CDFD0D80 2013-07-25 [expires: 2015-07-25]
uid Test Key
ssb 4096g/52C7F578 2013-07-25
ssb 3072D/FC9E4EAC 2013-07-25
# now check whether thunderbird+enigmail works
$ thunderbird
$ #in thunderbird+enigmail I choose "0xCDFD0D80" for an email account
$ #(1) in compose window I select "OpenPGP/sign"
$ # and I have to enter the passphrase for "FC9E4EAC"
$ # email gets sent and arrives with
$ # "Good signature from Test Key \\Key ID: 0xCDFD0D80"
$ #(2) new email: this time check "OpenPGP/encrypt"
$ # and I get an OpenPGP Alert:
$ # "Send operation aborted. \\INV_RECP 0 0x782B2A766EE19DE0"
$ # email is not sent
- What does this last alert tell me?
- Does this approach make sense? (I'm thinking on the suggested
--expert --gen-key option, for example)
- How to add support for other email addresses but the same master
key? Creating sign/encrypt keys for each account?
- Additionally, something that I don't understand (or at least
expected differently) is that I only had to type the master key's
passphrase. What I want (if possible) is a long passphrase for the
master key, and a shorter passphrase for the subkeys (for convenience
in daily use, etc). What am I doing wrong or misunderstand?
Thanks for your help,
-- atair
_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
