In the following we will go through the following steps: Let us start with the current situation: $ gpg -K $MASTERKEY Furthermore, I have followed some of the advice here, so key ids will be shown in long format. In the following I will assume that MASTERKEY environment variable contains the id of the master key to be converted. You don’t want that an erroneous operations wipes out your precious keys without a backup! Preparation Warning Before we start a word of caution – make backups, best is to make backups at every stage.
mixture of gpg versions: local laptop: gpg2.1, mail server: gpg1.
laptop does not contain any keys, instead use Yubikey.
possibility to sign and decrypt my emails on the server where I read emails (ssh/mutt).
subkeys for signing, encryption, authentication.
Gpg mail vs Offline#
master key is only available on offline medium (USB sticks).
With all this, I started to compile a list of requirements/objectives I wanted to have: Furthermore, I had my master key on several computers (work, laptop, mail server), which didn’t help a lot either. Despite a lengthy passphrase, I still didn’t want my master key to get into wrong hands in case the laptop got stolen. Traveling a lot I always felt uncomfortable. While the advantages of subkeys are well documented (e.g., Debian Wiki), at the end of the day I was – like probably many Debian Developers – having one master key that was used for every action: mail decryption and signing, signing of uploads, etc. To sum up a long story, it was worth the plunge, and all over the security level of my working environment has improved considerable. With the advent of a YubiKey NEO in my pocket I finally took the plunge: reading through lots of web pages (and adding one here for confusion), trying to understand the procedures, and above all, understanding my own requirements! Switching from one GnuPG master key to the usage of subkeys was long on my list of things I wanted to do, but never came around.