| 1 |
On Sun, 11 Jan 2015 20:55:29 -0500 |
| 2 |
Rich Freeman <rich0@g.o> wrote: |
| 3 |
|
| 4 |
> On Sun, Jan 11, 2015 at 8:34 PM, Brian Dolbec <dolsen@g.o> |
| 5 |
> wrote: |
| 6 |
|
| 7 |
> > I added a little more info to the First-Use wiki page, I included a |
| 8 |
> > link to a great webpage about setting up gpg keys. |
| 9 |
> > |
| 10 |
> > https://alexcabal.com/creating-the-perfect-gpg-keypair/ |
| 11 |
> > |
| 12 |
> > there are lots more, but I like that one, it is clear, concise,... |
| 13 |
> |
| 14 |
> From that site: By default GPG creates one signing subkey (your |
| 15 |
> identity) and one encryption subkey (how you receive messages intended |
| 16 |
> for you)...Use GPG to add an additional signing subkey to your |
| 17 |
> keypair. This new subkey is linked to the first signing key. Now we |
| 18 |
> have three subkeys. |
| 19 |
> |
| 20 |
> But, whatever. If we want a total of three keys in the key then I |
| 21 |
> don't really have a problem with that. I'm not sure what it buys you |
| 22 |
> other than lots of confusion about how to sign the right thing with |
| 23 |
> the right key. :) |
| 24 |
> |
| 25 |
|
| 26 |
|
| 27 |
Ok, the original text: |
| 28 |
|
| 29 |
1. Create a regular GPG keypair. By default GPG creates one signing |
| 30 |
subkey (your identity) and one encryption subkey (how you receive |
| 31 |
messages intended for you). |
| 32 |
|
| 33 |
|
| 34 |
That looks like a slight error in the authors wording. |
| 35 |
|
| 36 |
It create one primary key with signing, authorization capability, and a |
| 37 |
one encryption sub-key. |
| 38 |
|
| 39 |
When you add a signing subkey, that subkey then becomes the default key |
| 40 |
used for signing with. If you have more than one signing subkey, the |
| 41 |
default can be set in gnupg.conf without editing the key. Otherwise |
| 42 |
you must specify which key to sign with. It is much easier to |
| 43 |
revoke that signing subkey and add a new one, without the need to |
| 44 |
create an entirely new key, losing all the key signatures it is signed |
| 45 |
with. If you revoke a primary key, all subkeys it contains are revoked |
| 46 |
as well. In that article the author describes how to generate the |
| 47 |
subkeys and remove the original (master) keypair for installation on a |
| 48 |
laptop, desktop, etc. (separate subkeys for each machine) which may be |
| 49 |
stolen. You keep the original(master) keypair in a secure location (eg: |
| 50 |
bank safe deposit box, etc.) If the laptop is stolen, the thieves do not |
| 51 |
have access to modify the gpg keys (even if they have the password), |
| 52 |
and those specific subkeys can be easily revoked, without losing your |
| 53 |
entire gpg key and the signatures it has accumulated. Using your master |
| 54 |
keypair you generate new subkeys for installation on your replacement |
| 55 |
laptop, and continue... |
| 56 |
|
| 57 |
-- |
| 58 |
Brian Dolbec <dolsen> |
Archives