Why do we want to move only the GPG subkeys to Librem Key?

Why do we not do the same with the primary key?

The question has been stated after reading a couple of online smartcard tutorials where it is
only the subkeys that get imported to the card (eg one by @Kyle_Rankin) .

1 Like

My guess is that one reason can be that you want to handle the primary key in a more secure way. Like, it’s stored away in a safe somewhere in a secret location, you do not walk around with it.

If/when your Librem Key gets lost or stolen, you can dig out the primary key and use it to revoke the compromised subkeys.


You are probably right.

And, I guess, you can only store a single bundle of RSA subkeys on one Librem Key.

“Why” questions are often hard to answer. That said, the primary key is your ultimate key-signing key. It doesn’t encrypt/decrypt and is only used to sign other keys. The Librem Key has 3 subkey slots, one for each of the three subkey types: Signing (used when you sign things), Encryption (encrypting/decrypting things), Authentication (used to authenticate to services, such as SSH).

These subkeys are the keys you use on a daily basis. You only use the primary key when you create/revoke/update other keys, and otherwise it’s not used. That means you can store it offline in a safe place. For instance I store mine offline and only bring it out every few years when I need to update the expiry on my Purism GPG key (which is coming up soon!)


Thanks Kyle! It’s a shame these hardware keys are indeed storing only a single bundle of subkeys (if i read you correctly). It would be useful to have one identity associated with my public activity, that which I want to be associated with my public persona. Then, there would be other identities related to activities for which I currently do not (for whichever reason) want my public profile associated with, but I still want them to have a verifiable connection to myself via, eg, a different signing key. But, this means, each time I want another identity, I should get another smartcard product. I can see that becoming a chore :slight_smile: .

1 Like

But, I might be abusing how the key is supposed to work. What I have in mind can be easily accomplished bu a removable drive on which I’d store a gnupg directory which could be linked to .gnupg.

On the other hand, I see these encryption dongles are often used as real authentication devices, not PGP management machines.