is doing my head in at the moment. Got a new 4096 bit key-pair set up and realized I might want seperated (A)uthenticate, (S)ign and (E)ncrypt sub-keys.
Read a bunch of information about what and how to do that... not too sure any longer if it's worth the hassle?

Would you keep a very very private key-pair on an external medium and just certify another key-pair that you use for signing, de-/encrypting and auth - with a limited lifetime?


@pete c't Magazin had a how-to article on how to do this a couple of years ago. It looked pretty straightforward. Sadly I don't remember the details.

@pete Yes, I do that and it's not a big problem as you rarely change subkeys so I start my offline computer (that has access to master keys) once in 3 months or so.

You may also check out hardware tokens (e.g. Yubikeys) to make your subkeys "un-stealable" :)

Sign in to participate in the conversation
Mastodon is one server in the network