3

My key setup is as follows:

sec  dsa3072/CA72E53A
     created: 2013-05-12  expires: never       usage: SCA 
     trust: ultimate      validity: ultimate
The following key was revoked on 2016-01-13 by DSA key CA72E53A 
ssb  elg4096/ADBBBE42
     created: 2013-05-12  revoked: 2016-01-13  usage: E   
ssb  rsa4096/6A743003
     created: 2016-01-13  expires: 2018-01-12  usage: E   
ssb  rsa4096/A57F2B30
     created: 2016-01-13  expires: 2018-01-12  usage: S

I am trying to transition to RSA subkeys as I want to use a Yubikey for my keys, but started out with a DSA/Elgamal key.

But when adding new subkeys I don't get the option to add an RSA (or DSA) key with custom parameters. Is this a result of having a DSA master key?

gpg> addkey 
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection?

A workaround I am considering is genereting a new keypair just for authentication purposes (RSA/RSA), not publishing the public key and uploading that authentication key onto the yubikey, but I don't know if that is supported by the Yubikey and if it has other downsides.

Is it possible to have an RSA authentication subkey with a DSA master key or am I trying to do something silly and should I just bite the bullet and transition to a new RSA master key?

I am using GnuPG version 2.1.9.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Jeroen
  • 133
  • 5

1 Answers1

2

You need to activate the --expert mode to select arbitrary combinations of algorithms and capabilities (inside given technical limitations, DSA keys will never be able to have signing capability).

$ gpg --expert --edit-key [key-id]
[snip, key-listing]
gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)

Your selection?

Enter 8 to create an RSA key.

Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: Sign Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection?

Now, one after the other, enter e, s and a to disable encryption and signing and enable authentication capabilities. Finally select the key size:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)

Continue as usual.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96