Re: Offline Primary Key
On Mon, 1 Mar 2010 22:13, ds...@jabberwocky.com said: someone elses key. The current design effectively forces people to manually move the valuable primary key out of the way before clobbering it with the subkey-only copy of the key. Another important point is that if you want to use an offline key you should create that key offline and export the subkeys to the online box. Doing this on the same box is a bit questionable. To me an offline key is one created on box which has never been and will never be connected to the net. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Werner Koch escribió: ... Another important point is that if you want to use an offline key you should create that key offline and export the subkeys to the online box. Doing this on the same box is a bit questionable. To me an offline key is one created on box which has never been and will never be connected to the net. Well, but there may be some advantages in removing the primary key from the computer, maybe you generate it in your home computer (which you consider safe), and want to carry a copy of the subkeys in your laptop (which you are afraid of losing). Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJLjWLUAAoJEMV4f6PvczxAmvMIAIghx214tR3hbADhHQ4XuEJT zPmEXOX/rmsKsMQLS8SQgt5zwulInlWBjENbW5PHeS3cb7TtMBQEmGD+hxvb4ssJ cs32IDw75pBXUBd16tJSYVAppLKugO8S0OWe4+haC9BEoFnZHtl8AzhMUt/iRr7o +B6Fr79mWV3JGA3h4ZppSsylgIz6w5bBIC6qsGF1/NkjcUDgQs213K1LfjLwSHoW wECBa/jStQnqdAKQdv9GCRCLmk9UbMQwmAyMypRM+hM0XJxSC3fIjaz/b9UyMcOg ZtikRjnIq9EdgQDuayRcs81fd+LOikpvhYZqbqKo0pk3pQq3YE5Iukx4ms96wF4= =E8RX -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On Tuesday 02 March 2010, Faramir wrote: Werner Koch escribió: ... Another important point is that if you want to use an offline key you should create that key offline and export the subkeys to the online box. Doing this on the same box is a bit questionable. To me an offline key is one created on box which has never been and will never be connected to the net. Well, but there may be some advantages in removing the primary key from the computer, maybe you generate it in your home computer (which you consider safe), and want to carry a copy of the subkeys in your laptop (which you are afraid of losing). If you are afraid of losing your laptop then you should use hard-disk encryption. In fact, you should use it even if you are not afraid of losing your laptop. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Offline Primary Key
I would like to keep the private portion of my primary key stored offline and use an expiring secondary key for day to day signing. To accomplish this I have tried backing up the key after creating the secondary signing key, then attempting to delete the private portion of the primary key from the key ring, but even when I explicitly specify the primary key ID to delete with --delete-primary-keys, the secondary private key is also removed. How can I remove ONLY the private part of the primary key, and not the secondary key(s)? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On Mar 1, 2010, at 12:20 PM, Phillip Susi wrote: I would like to keep the private portion of my primary key stored offline and use an expiring secondary key for day to day signing. To accomplish this I have tried backing up the key after creating the secondary signing key, then attempting to delete the private portion of the primary key from the key ring, but even when I explicitly specify the primary key ID to delete with --delete-primary-keys, the secondary private key is also removed. How can I remove ONLY the private part of the primary key, and not the secondary key(s)? What you need to do is an --export-secret-subkeys (there is no such command as --delete-primary-keys). So, starting from a state where your whole key (primary and all secondaries) are all imported to your GPG instance, do: gpg --export-secret-subkeys (thekeyid) my-secondary-keys-only.gpg Then import my-secondary-keys-only.gpg into whichever GPG you want to use it with. If you want to use it with the same one you just exported from, then do: gpg --export-secret-key (thekeyid) my-real-secret-key.gpg gpg --delete-secret-key (thekeyid) gpg --import my-secondary-keys-only.gpg (i.e. save a copy of the full key, delete it from the keyring, and replace it with the secondary-key-only copy). Make sure you save my-real-secret-key.gpg in a safe place! Didn't someone write a nice HOWTO about offline private keys at one point? I thought there was one out there, but can't find it at the moment. Can anyone post the URL for Philip? David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
David Shaw wrote: Didn't someone write a nice HOWTO about offline private keys at one point? I thought there was one out there, but can't find it at the moment. Can anyone post the URL for Philip? Adrian von Bidder's page is the only one that memory serves up: http://fortytwo.ch/gpg/subkeys -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=help Q:Just how do the residents of Haiku, Hawai'i hold conversations? A:An odd melody / island voices on the winds / surplus of vowels signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
Can anyone post the URL for Philip? David http://fortytwo.ch/gpg/subkeys signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On 3/1/2010 1:57 PM, David Shaw wrote: What you need to do is an --export-secret-subkeys (there is no such command as --delete-primary-keys). So, starting from a state where your whole key (primary and all secondaries) are all imported to your GPG instance, do: Yes, I meant --delete-secret-key gpg --export-secret-subkeys (thekeyid) my-secondary-keys-only.gpg Then import my-secondary-keys-only.gpg into whichever GPG you want to use it with. If you want to use it with the same one you just exported from, then do: gpg --export-secret-key (thekeyid) my-real-secret-key.gpg gpg --delete-secret-key (thekeyid) gpg --import my-secondary-keys-only.gpg (i.e. save a copy of the full key, delete it from the keyring, and replace it with the secondary-key-only copy). This does the trick, but I still do not understand why --delete-secret-key removes BOTH the primary and subkey secrets when I specifically gave only the ID of the subkey? Shouldn't it remove exactly what I say and no more? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On Mar 1, 2010, at 2:59 PM, John Clizbe wrote: David Shaw wrote: Didn't someone write a nice HOWTO about offline private keys at one point? I thought there was one out there, but can't find it at the moment. Can anyone post the URL for Philip? Adrian von Bidder's page is the only one that memory serves up: http://fortytwo.ch/gpg/subkeys Ah, thanks! I knew I remembered that it was out there, but just could not find it for some reason. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On Mar 1, 2010, at 3:31 PM, Phillip Susi wrote: On 3/1/2010 1:57 PM, David Shaw wrote: What you need to do is an --export-secret-subkeys (there is no such command as --delete-primary-keys). So, starting from a state where your whole key (primary and all secondaries) are all imported to your GPG instance, do: Yes, I meant --delete-secret-key gpg --export-secret-subkeys (thekeyid) my-secondary-keys-only.gpg Then import my-secondary-keys-only.gpg into whichever GPG you want to use it with. If you want to use it with the same one you just exported from, then do: gpg --export-secret-key (thekeyid) my-real-secret-key.gpg gpg --delete-secret-key (thekeyid) gpg --import my-secondary-keys-only.gpg (i.e. save a copy of the full key, delete it from the keyring, and replace it with the secondary-key-only copy). This does the trick, but I still do not understand why --delete-secret-key removes BOTH the primary and subkey secrets when I specifically gave only the ID of the subkey? Shouldn't it remove exactly what I say and no more? It has to do with how keys are specified. In GnuPG, you can specify a key in a number of ways - by name, by (any) fingerprint, and by (any) key ID. So if you have a key named foobar, and the key ID is and the subkey ID is , you could refer to that key with any of foobar, , or . When you say --delete-secret-key BBB, you're actually saying delete the whole key. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On Mar 1, 2010, at 4:11 PM, Phillip Susi wrote: On 3/1/2010 3:37 PM, David Shaw wrote: This does the trick, but I still do not understand why --delete-secret-key removes BOTH the primary and subkey secrets when I specifically gave only the ID of the subkey? Shouldn't it remove exactly what I say and no more? It has to do with how keys are specified. In GnuPG, you can specify a key in a number of ways - by name, by (any) fingerprint, and by (any) key ID. So if you have a key named foobar, and the key ID is and the subkey ID is , you could refer to that key with any of foobar, , or . When you say --delete-secret-key BBB, you're actually saying delete the whole key. Can this be overridden? I thought that is what the ! suffix was for, but it still deletes the whole thing. Not for deletion. There is no way to delete a primary key in place while leaving the subkeys intact. Such an ability is very dangerous since if you delete that primary key without a backup, you'll never be able to make more subkeys, issue a revocation certificate, or sign someone elses key. The current design effectively forces people to manually move the valuable primary key out of the way before clobbering it with the subkey-only copy of the key. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On 3/1/2010 3:37 PM, David Shaw wrote: This does the trick, but I still do not understand why --delete-secret-key removes BOTH the primary and subkey secrets when I specifically gave only the ID of the subkey? Shouldn't it remove exactly what I say and no more? It has to do with how keys are specified. In GnuPG, you can specify a key in a number of ways - by name, by (any) fingerprint, and by (any) key ID. So if you have a key named foobar, and the key ID is and the subkey ID is , you could refer to that key with any of foobar, , or . When you say --delete-secret-key BBB, you're actually saying delete the whole key. Can this be overridden? I thought that is what the ! suffix was for, but it still deletes the whole thing. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David Shaw escribió: ... Didn't someone write a nice HOWTO about offline private keys at one point? I thought there was one out there, but can't find it at the moment. Can anyone post the URL for Philip? http://tjl73.altervista.org/secure_keygen/en/index.html Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJLjFXyAAoJEMV4f6PvczxAIUoIAK5fvkQthTgRU48kHLGtqfpo o5CT92zzmLtHT51CkNrcRKdai/ioZ1zf29BV7Qvlpx48+O7FElA4pGqGOc1FsTDJ g70bsxHHAar2wrZxN9X0HLTbIXXAJmBaHkkn06H187aqthmgHI3D7Jov5OzUzgod OtwWMSOsvC5O3NAf5WwKQ2Motvs29gExADbh3OjQqFQlfAu6H/JMLOfC+tlYSFlQ D9Vqjen3fG/x5Nn/ikoIMsE5Nqc//syCwVqys2zYDqk5SkdC5GHPXz1w9WtZcgp9 VpQI2fgcXBTxB3nJ5rXAuKFtItTtNbgOccg0WwfeAILAws+5OVcQHjMxz73K3qs= =0gl/ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to use an offline primary key
Sven Radde wrote: I thought that I would simply 'include' the primary key by adding --secret-keyring secring2.gpg whenever I need it for these kinds of operations, but GnuPG complains about missing parts of the secret key regardless of whether this option is present of not. AFAIK, GnuPG will take the first version of the key it finds. The first version of the key (primary and subkeys) is in your default keyring, with only a stub primary. You could try something like --no-default-keyrings --secret-keyring secring2.gpg --public-keyring pubring2.gpg --secret-keyring secring.gpg --public-keyring pubring.gpg where secring.gpg/pubring.gpg are your default keyrings. By exchanging the order of the keyrings, hopefully this will mean it looks for the key in secring2.gpg first, where the primary key is included too. I haven't tried it myself, though. Good luck, Peter. -- I use the GNU Privacy Guard (GnuPG) in combination with Enigmail. You can send me encrypted mail if you want some privacy. My key is available at http://wwwhome.cs.utwente.nl/~lebbing/pubkey.txt (new, larger key created on Nov 12, 2009) ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to use an offline primary key
Hi list, I wish a great 2010 year for everybody! On Sat, Jan 2, 2010 at 11:09 AM, Sven Radde em...@sven-radde.de wrote: Hello GnuPG-Users! With a new year comes a new keypair and this time I tried to use subkeys to separate my secret primary key from the day-to-day encryption/signing keys. Concerning Sven's statement about his primary key's secrecy, and something David Shaw explained to me a while ago, I ask you: is it possible to have a totally secret digital signature primary key? I mean, part of it will be inevitably public, won't it? Regards, Marcio Barbado, Jr. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to use an offline primary key
Hi! Peter Lebbing schrieb: By exchanging the order of the keyrings, hopefully this will mean it looks for the key in secring2.gpg first, where the primary key is included too. Works fine for certifying other people's keys, thank you! However, since all updates to the my key would be done to secring2 and pubring2 in this case, I think I would have to re-export/import from the offline keyring to the online keyring every time I do things like changing preferences, setting expiry dates, adding new subkeys etc. But this is really just a very minor inconvenience and I will see whether I can do with secring, secring2 and a single shared pubring... cu, Sven ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP smartcard with offline primary key
Jan Niehusmann schrieb: Isn't this exactly the approach described in the thread Clarification on purpose of subordinate keys two days ago? There was a very nice step-by-step description posted by Dirk Traulsen. You're right. I already knew the purpose, but the thread clarified this special configuration too! Thanks, -- Peter L. Smilde ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users