[Durham] GPG with multiple devices

Oliver Burnett-Hall olly at burnett-hall.co.uk
Wed Aug 20 21:26:45 UTC 2014

Does anyone know much about GPG/PGP? I'd appreciate a bit of advice.

I'm wanting to set up a new GPG key for myself (I lost the passphrase
and private key for my previous one a long time ago), and I have been
wondering how it is best to manage keys with multiple devices --
desktop computers, laptops, mobile phones and tablets. Ideally I'd be
able to use GPG on all devices rather than having to use a single one
for all authentication and encryption, but then storing private keys on
multiple devices raises questions about what happens if one of them is

From my reading, subkeys appear to be one possible solution to this. If
I understand this right, here's what I think I need to do:

1. Create a new master key, selecting the sign-only option.
2. Do stuff like add additional identities, tweak encryption settings,
   and so on.
3. Create a single encrypt-only subkey.
4. Create multiple sign-only subkeys, on for each device.
5. Generate a revocation certificate for the master key.
6. Send a copy of the master public key to a keyserver.
7. Somehow (I'm not exactly sure how this step is done) export/copy to
   each device the single encryption subkey and the signing subkey for
   that device.
8. Move the master key to a USB drive and put in a room guarded by a
   three-headed dog.

Once this has been done, it would be possible to start building a web
of trust by having people sign my master key, and using my master key
to sign theirs.

If I were to lose my laptop I would have to revoke my encryption subkey
and the device-specific signing subkey. I could then generate a new
encryption subkey and copy it to all my devices. The advantage of this
is that my master key would be unaffected. However, and what I'm not
sure about, is how other people would know about the revocation. Is
there any automatic checking for revoked certificates done by GPG/PGP?
Or would I be relying on people manually re-fetching my certificates
from keyservers?

Has anyone done something like this? Does it make any sense at all?

- olly

More information about the Durham mailing list