Re: Offline Primary Key
On Mon, 1 Mar 2010 22:13, ds...@jabberwocky.com said: someone elses key. The current design effectively forces people to manually move the valuable primary key out of the way before clobbering it with the subkey-only copy of the key. Another important point is that if you want to use an offline key you should create that key offline and export the subkeys to the online box. Doing this on the same box is a bit questionable. To me an offline key is one created on box which has never been and will never be connected to the net. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Werner Koch escribió: ... Another important point is that if you want to use an offline key you should create that key offline and export the subkeys to the online box. Doing this on the same box is a bit questionable. To me an offline key is one created on box which has never been and will never be connected to the net. Well, but there may be some advantages in removing the primary key from the computer, maybe you generate it in your home computer (which you consider safe), and want to carry a copy of the subkeys in your laptop (which you are afraid of losing). Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJLjWLUAAoJEMV4f6PvczxAmvMIAIghx214tR3hbADhHQ4XuEJT zPmEXOX/rmsKsMQLS8SQgt5zwulInlWBjENbW5PHeS3cb7TtMBQEmGD+hxvb4ssJ cs32IDw75pBXUBd16tJSYVAppLKugO8S0OWe4+haC9BEoFnZHtl8AzhMUt/iRr7o +B6Fr79mWV3JGA3h4ZppSsylgIz6w5bBIC6qsGF1/NkjcUDgQs213K1LfjLwSHoW wECBa/jStQnqdAKQdv9GCRCLmk9UbMQwmAyMypRM+hM0XJxSC3fIjaz/b9UyMcOg ZtikRjnIq9EdgQDuayRcs81fd+LOikpvhYZqbqKo0pk3pQq3YE5Iukx4ms96wF4= =E8RX -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On Tuesday 02 March 2010, Faramir wrote: Werner Koch escribió: ... Another important point is that if you want to use an offline key you should create that key offline and export the subkeys to the online box. Doing this on the same box is a bit questionable. To me an offline key is one created on box which has never been and will never be connected to the net. Well, but there may be some advantages in removing the primary key from the computer, maybe you generate it in your home computer (which you consider safe), and want to carry a copy of the subkeys in your laptop (which you are afraid of losing). If you are afraid of losing your laptop then you should use hard-disk encryption. In fact, you should use it even if you are not afraid of losing your laptop. Regards, Ingo signature.asc Description: This is a digitally signed message part. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On Mar 1, 2010, at 12:20 PM, Phillip Susi wrote: I would like to keep the private portion of my primary key stored offline and use an expiring secondary key for day to day signing. To accomplish this I have tried backing up the key after creating the secondary signing key, then attempting to delete the private portion of the primary key from the key ring, but even when I explicitly specify the primary key ID to delete with --delete-primary-keys, the secondary private key is also removed. How can I remove ONLY the private part of the primary key, and not the secondary key(s)? What you need to do is an --export-secret-subkeys (there is no such command as --delete-primary-keys). So, starting from a state where your whole key (primary and all secondaries) are all imported to your GPG instance, do: gpg --export-secret-subkeys (thekeyid) my-secondary-keys-only.gpg Then import my-secondary-keys-only.gpg into whichever GPG you want to use it with. If you want to use it with the same one you just exported from, then do: gpg --export-secret-key (thekeyid) my-real-secret-key.gpg gpg --delete-secret-key (thekeyid) gpg --import my-secondary-keys-only.gpg (i.e. save a copy of the full key, delete it from the keyring, and replace it with the secondary-key-only copy). Make sure you save my-real-secret-key.gpg in a safe place! Didn't someone write a nice HOWTO about offline private keys at one point? I thought there was one out there, but can't find it at the moment. Can anyone post the URL for Philip? David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
David Shaw wrote: Didn't someone write a nice HOWTO about offline private keys at one point? I thought there was one out there, but can't find it at the moment. Can anyone post the URL for Philip? Adrian von Bidder's page is the only one that memory serves up: http://fortytwo.ch/gpg/subkeys -- John P. Clizbe Inet:John (a) Mozilla-Enigmail.org You can't spell fiasco without SCO. hkp://keyserver.gingerbear.net or mailto:pgp-public-k...@gingerbear.net?subject=help Q:Just how do the residents of Haiku, Hawai'i hold conversations? A:An odd melody / island voices on the winds / surplus of vowels signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
Can anyone post the URL for Philip? David http://fortytwo.ch/gpg/subkeys signature.asc Description: OpenPGP digital signature ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On 3/1/2010 1:57 PM, David Shaw wrote: What you need to do is an --export-secret-subkeys (there is no such command as --delete-primary-keys). So, starting from a state where your whole key (primary and all secondaries) are all imported to your GPG instance, do: Yes, I meant --delete-secret-key gpg --export-secret-subkeys (thekeyid) my-secondary-keys-only.gpg Then import my-secondary-keys-only.gpg into whichever GPG you want to use it with. If you want to use it with the same one you just exported from, then do: gpg --export-secret-key (thekeyid) my-real-secret-key.gpg gpg --delete-secret-key (thekeyid) gpg --import my-secondary-keys-only.gpg (i.e. save a copy of the full key, delete it from the keyring, and replace it with the secondary-key-only copy). This does the trick, but I still do not understand why --delete-secret-key removes BOTH the primary and subkey secrets when I specifically gave only the ID of the subkey? Shouldn't it remove exactly what I say and no more? ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On Mar 1, 2010, at 2:59 PM, John Clizbe wrote: David Shaw wrote: Didn't someone write a nice HOWTO about offline private keys at one point? I thought there was one out there, but can't find it at the moment. Can anyone post the URL for Philip? Adrian von Bidder's page is the only one that memory serves up: http://fortytwo.ch/gpg/subkeys Ah, thanks! I knew I remembered that it was out there, but just could not find it for some reason. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On Mar 1, 2010, at 3:31 PM, Phillip Susi wrote: On 3/1/2010 1:57 PM, David Shaw wrote: What you need to do is an --export-secret-subkeys (there is no such command as --delete-primary-keys). So, starting from a state where your whole key (primary and all secondaries) are all imported to your GPG instance, do: Yes, I meant --delete-secret-key gpg --export-secret-subkeys (thekeyid) my-secondary-keys-only.gpg Then import my-secondary-keys-only.gpg into whichever GPG you want to use it with. If you want to use it with the same one you just exported from, then do: gpg --export-secret-key (thekeyid) my-real-secret-key.gpg gpg --delete-secret-key (thekeyid) gpg --import my-secondary-keys-only.gpg (i.e. save a copy of the full key, delete it from the keyring, and replace it with the secondary-key-only copy). This does the trick, but I still do not understand why --delete-secret-key removes BOTH the primary and subkey secrets when I specifically gave only the ID of the subkey? Shouldn't it remove exactly what I say and no more? It has to do with how keys are specified. In GnuPG, you can specify a key in a number of ways - by name, by (any) fingerprint, and by (any) key ID. So if you have a key named foobar, and the key ID is and the subkey ID is , you could refer to that key with any of foobar, , or . When you say --delete-secret-key BBB, you're actually saying delete the whole key. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On Mar 1, 2010, at 4:11 PM, Phillip Susi wrote: On 3/1/2010 3:37 PM, David Shaw wrote: This does the trick, but I still do not understand why --delete-secret-key removes BOTH the primary and subkey secrets when I specifically gave only the ID of the subkey? Shouldn't it remove exactly what I say and no more? It has to do with how keys are specified. In GnuPG, you can specify a key in a number of ways - by name, by (any) fingerprint, and by (any) key ID. So if you have a key named foobar, and the key ID is and the subkey ID is , you could refer to that key with any of foobar, , or . When you say --delete-secret-key BBB, you're actually saying delete the whole key. Can this be overridden? I thought that is what the ! suffix was for, but it still deletes the whole thing. Not for deletion. There is no way to delete a primary key in place while leaving the subkeys intact. Such an ability is very dangerous since if you delete that primary key without a backup, you'll never be able to make more subkeys, issue a revocation certificate, or sign someone elses key. The current design effectively forces people to manually move the valuable primary key out of the way before clobbering it with the subkey-only copy of the key. David ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
On 3/1/2010 3:37 PM, David Shaw wrote: This does the trick, but I still do not understand why --delete-secret-key removes BOTH the primary and subkey secrets when I specifically gave only the ID of the subkey? Shouldn't it remove exactly what I say and no more? It has to do with how keys are specified. In GnuPG, you can specify a key in a number of ways - by name, by (any) fingerprint, and by (any) key ID. So if you have a key named foobar, and the key ID is and the subkey ID is , you could refer to that key with any of foobar, , or . When you say --delete-secret-key BBB, you're actually saying delete the whole key. Can this be overridden? I thought that is what the ! suffix was for, but it still deletes the whole thing. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: Offline Primary Key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 David Shaw escribió: ... Didn't someone write a nice HOWTO about offline private keys at one point? I thought there was one out there, but can't find it at the moment. Can anyone post the URL for Philip? http://tjl73.altervista.org/secure_keygen/en/index.html Best Regards -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBCAAGBQJLjFXyAAoJEMV4f6PvczxAIUoIAK5fvkQthTgRU48kHLGtqfpo o5CT92zzmLtHT51CkNrcRKdai/ioZ1zf29BV7Qvlpx48+O7FElA4pGqGOc1FsTDJ g70bsxHHAar2wrZxN9X0HLTbIXXAJmBaHkkn06H187aqthmgHI3D7Jov5OzUzgod OtwWMSOsvC5O3NAf5WwKQ2Motvs29gExADbh3OjQqFQlfAu6H/JMLOfC+tlYSFlQ D9Vqjen3fG/x5Nn/ikoIMsE5Nqc//syCwVqys2zYDqk5SkdC5GHPXz1w9WtZcgp9 VpQI2fgcXBTxB3nJ5rXAuKFtItTtNbgOccg0WwfeAILAws+5OVcQHjMxz73K3qs= =0gl/ -END PGP SIGNATURE- ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
