#GPG is doing my head in at the moment. Got a new 4096 bit key-pair set up and realized I might want seperated (A)uthenticate, (S)ign and (E)ncrypt sub-keys.
Read a bunch of information about what and how to do that... not too sure any longer if it's worth the hassle?
Would you keep a very very private key-pair on an external medium and just certify another key-pair that you use for signing, de-/encrypting and auth - with a limited lifetime?
@pete c't Magazin had a how-to article on how to do this a couple of years ago. It looked pretty straightforward. Sadly I don't remember the details.
@pete Yes, I do that and it's not a big problem as you rarely change subkeys so I start my offline computer (that has access to master keys) once in 3 months or so.
You may also check out hardware tokens (e.g. Yubikeys) to make your subkeys "un-stealable" :)
mastodon.cyano.at is one server in the network