How to have a different pass phrase for a gpg subkey?

16

5

I need to automate a deployment process and the tool will sign the release artifacts automatically. My key ring has a primary key which I use only for creating subkeys, and two subkeys. One subkey for signing and one for encryption.

Currently there is single pass phrase for all the keys. I don't want to specify this pass phrase in a configuration file as that would risk the primary key as well.

So I thought I'd set a different pass phrase for the subkey by doing:

$ gpg --edit-key [subkey-id]
gpg> passwd
gpg> save

But this changed the pass phrase for other keys as well.

How can I set a separate pass phrase for individual keys?

Kshitiz Sharma

Posted 2015-02-19T14:40:21.230

Reputation: 569

Answers

14

Setting up individual passphrases for subkeys is not possible with GnuPG. But there's a workaround, which even looks like good practice idea in this case:

  1. Export the subkey of choice (in the example, the subkey has ID 0xDEADBEEF). Don't forget the exclamation mark, it makes sure GnuPG actually works with the subkey itself and not with the primary key it belongs to!

    gpg --export-secret-subkeys 0xDEADBEEF! >subkeys.pgp

    The subkey will have the public primary key and a private primary "key-stub" attached, but not the private primary key itself.

  2. Import the subkey to another GnuPG home directory. The example expects you're in your project root directory and have a folder etc for stuff like this keyring in there.

    gpg --homedir ./etc/gnupg --import subkeys.pgp

  3. Change the passphrase of the separated subkey.

    gpg --homedir ./etc/gnupg --edit-key 0xDEADBEEF

  4. Instead of using your "normal" keyring, always refer to the separate GnuPG directory as mentioned above.

As an alternative, you might want to consider creating a project key which you sign with your own key. This might have the advantage that other contributors/users could also sign the key (and thus certify that this indeed is the key used for the project), and handing over the project might be easier in case somebody else will take over maintenance.

Jens Erat

Posted 2015-02-19T14:40:21.230

Reputation: 14 141

1This does not work with GnuPG 2.2.4. It fails saying "Need the secret key to do this." Very sad :'( – steinybot – 2018-10-08T10:49:10.117

So I need to use passwordless gpg keys for automatic repo signing? – SuperSandro2000 – 2019-11-21T10:43:58.230

No, you can also pre-cache the passphrase using gpg-agent. Have a look at gpg-preset-passphrase.

– Jens Erat – 2019-11-25T22:17:03.993

5

A very out of date (2013) gnupg.org mail archive explains an awkward workaround for making a separate password for a subkey.
It implies the constraint is not within data-structure of the key-set (i.e. the master subkey grouping) but only in the software interface for constructing and modifying the keyset.

A quote from the reference:

Hi,

is it possible to have a master key and several subkeys with the subkeys having a different (e.g. shorter) passphrase than the master key?

What you are probably looking for is an offline mainkey (see --export-secret- subkeys). But the answer is: yes. gpg-agent does not care about the connection of keys. It asks you even for the same passphrase several times (for different components of the same key).

But GnuPG does not support this directly.

1) Export the secret key (--export-secret-keys without --armor)

2) change the passphrase

3) Export again (to a different file, of course)

4) Use gpgsplit on both files (in different directories). The result looks like this:

000001-005.secret_key 000002-013.user_id 000003-002.sig 000004-007.secret_subkey 000005-002.sig

5) Now you mix the components of the two groups: mkdir combined mv a/000001* a/000002* a/000003* combined/ mv b/000004* b/000005* combined/ cd combined/ cat * > different_passphrases.gpg

6) Delete the key from secring: --delete-secret-key

7) Import the new one: gpg --import different_passphrases.gpg

Hauke Laging

I have not personally confirmed this operation - just reporting what I have read.

The lack of specification and discussion in GnuPG documentation concerning this important topic is disappointing.

Craig Hicks

Posted 2015-02-19T14:40:21.230

Reputation: 181

Asked: 2015-02-19T14:40:21.230

Viewed: 5 141 times

Active: 2018-05-02T22:24:50.047