Hi, I'm developing a key management solution for an organization. For an employee, I'd like to generate two keys: one for signing and the other for encryption. In my proposed solution, the encryption key should be backed up in an organizational central server for auditing purpose, and the signing key is only accessible to an user without being saved in another location. This means that I have to separate the encryption key from the signing key.
However, the current GPG makes the signing key the master key and the encryption the subkey. PGP standard seems not to allow transfer a single subkey (RFC4880 Section 11) because it is always preceded by the master key. I tried to export an encryption subkey only with GPG2, but importing the subkey also lists the primary key. The man page of --export-secret-subkeys reads: The second form of the command has the special property to render the secret part of the primary key useless; this is a GNU extension to OpenPGP and other implementations can not be expected to successfully import such a key. Its intended use is to generated a full key with an additional signing subkey on a dedicated machine and then using this command to export the key without the primary key to the main machine. It means that although the primary key is imported and listed, it is not usable. Has anyone have experience with this and been able to confirm it? I'm also thinking about making two separate master keys, and doing so seems to make me avoid the confusion of master-subkeys and make the solution more portable in different implementations. What's your opinion? -- Thanks, Lou
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
