How to have a different pass phrase for a gpg subkey?
I need to automate a deployment process and the tool will sign the release artifacts automatically. My key ring has a primary key which I use only for creating subkeys, and two subkeys. One subkey for signing and one for encryption.
Currently there is single pass phrase for all the keys. I don't want to specify this pass phrase in a configuration file as that would risk the primary key as well.
So I thought I'd set a different pass phrase for the subkey by doing:
$ gpg --edit-key [subkey-id]
gpg> passwd
gpg> save
But this changed the pass phrase for other keys as well.
How can I set a separate pass phrase for individual keys?
Setting up individual passphrases for subkeys is not possible with GnuPG. But there's a workaround, which even looks like good practice idea in this case:
-
Export the subkey of choice (in the example, the subkey has ID
0xDEADBEEF
). Don't forget the exclamation mark, it makes sure GnuPG actually works with the subkey itself and not with the primary key it belongs to!gpg --export-secret-subkeys 0xDEADBEEF! >subkeys.pgp
The subkey will have the public primary key and a private primary "key-stub" attached, but not the private primary key itself.
-
Import the subkey to another GnuPG home directory. The example expects you're in your project root directory and have a folder
etc
for stuff like this keyring in there.gpg --homedir ./etc/gnupg --import subkeys.pgp
-
Change the passphrase of the separated subkey.
gpg --homedir ./etc/gnupg --edit-key 0xDEADBEEF
Instead of using your "normal" keyring, always refer to the separate GnuPG directory as mentioned above.
As an alternative, you might want to consider creating a project key which you sign with your own key. This might have the advantage that other contributors/users could also sign the key (and thus certify that this indeed is the key used for the project), and handing over the project might be easier in case somebody else will take over maintenance.
A very out of date (2013) gnupg.org mail archive explains an awkward workaround for making a separate password for a subkey.
It implies the constraint is not within data-structure of the key-set (i.e. the master subkey grouping) but only in the software interface for constructing and modifying the keyset.
A quote from the reference:
Hi,
is it possible to have a master key and several subkeys with the subkeys having a different (e.g. shorter) passphrase than the master key?
What you are probably looking for is an offline mainkey (see --export-secret- subkeys). But the answer is: yes. gpg-agent does not care about the connection of keys. It asks you even for the same passphrase several times (for different components of the same key).
But GnuPG does not support this directly.
1) Export the secret key (--export-secret-keys without --armor)
2) change the passphrase
3) Export again (to a different file, of course)
4) Use gpgsplit on both files (in different directories). The result looks like this:
000001-005.secret_key 000002-013.user_id 000003-002.sig 000004-007.secret_subkey 000005-002.sig
5) Now you mix the components of the two groups: mkdir combined mv a/000001* a/000002* a/000003* combined/ mv b/000004* b/000005* combined/ cd combined/ cat * > different_passphrases.gpg
6) Delete the key from secring: --delete-secret-key
7) Import the new one: gpg --import different_passphrases.gpg
Hauke Laging
I have not personally confirmed this operation - just reporting what I have read.
The lack of specification and discussion in GnuPG documentation concerning this important topic is disappointing.
Even if this question is quite old, I want to share a solution for this problem, which I came across, too.
Problem: I wanted to have a separate passphrase for the primary key, which I use only for certifying/creating [C] other sub keys, and the attached sub keys [S,E,A].
At the beginning there is only one passphrase for all the keys, i.e. primary and sub keys.
What I did was to backup the master key to a different location by issuing:
$ gpg --list-secret-keys --with-keygrip
which showed me the keygrip (filename of the key under ~/.gnupg/private-keys-v1.d/<your-keygrip>.key
) of the master key.
I then moved that keyfile (and the corresponding revocation certificate) to a different backup-location, and finally removed the key from ~/.gnupg/private-keys-v1.d/<your-keygrip>.key
.
(Revocation certificate is under ~/.gnupg/openpgp-revocs.d/<your-keygrip>.rev
)
After issuing gpg --list-secret-keys
I could see sec#
on the primary key, which indicates that the key is not present anymore:
sec# rsa4096/0x123123123123123 2018-02-01 [C] [expires: 2019-02-01]
Key fingerprint = 123 123 123 123 123 123 123 123 123 123
Now I just edited that key:
gpg --edit-key <your-key-id>
gpg> passwd
gpg> save
This will ask for the passphrase on each sub key, and lets you change it then.
In the end, I have a (simpler) passphrase for my sub keys, while my primary key is stored offsite, secured by the initial (stronger) passphrase.
Edit: Be aware, that this only works with GnuPG 2.1 and newer! With older GnuPG versions, you'll have to export all your keys (primary + sub), delete them and then re-import just the sub keys. Only from version 2.1 on can the primary key be deleted alone!