Why do we want to move only the GPG subkeys to Librem Key?

kondor · November 19, 2022, 8:39pm

Why do we not do the same with the primary key?

The question has been stated after reading a couple of online smartcard tutorials where it is
only the subkeys that get imported to the card (eg one by @Kyle_Rankin) .

Skalman · November 20, 2022, 9:40am

My guess is that one reason can be that you want to handle the primary key in a more secure way. Like, it’s stored away in a safe somewhere in a secret location, you do not walk around with it.

If/when your Librem Key gets lost or stolen, you can dig out the primary key and use it to revoke the compromised subkeys.

kondor · November 20, 2022, 5:33pm

You are probably right.

kondor · November 21, 2022, 4:18pm

And, I guess, you can only store a single bundle of RSA subkeys on one Librem Key.

Kyle_Rankin · November 21, 2022, 6:01pm

“Why” questions are often hard to answer. That said, the primary key is your ultimate key-signing key. It doesn’t encrypt/decrypt and is only used to sign other keys. The Librem Key has 3 subkey slots, one for each of the three subkey types: Signing (used when you sign things), Encryption (encrypting/decrypting things), Authentication (used to authenticate to services, such as SSH).

These subkeys are the keys you use on a daily basis. You only use the primary key when you create/revoke/update other keys, and otherwise it’s not used. That means you can store it offline in a safe place. For instance I store mine offline and only bring it out every few years when I need to update the expiry on my Purism GPG key (which is coming up soon!)

kondor · November 21, 2022, 6:14pm

Thanks Kyle! It’s a shame these hardware keys are indeed storing only a single bundle of subkeys (if i read you correctly). It would be useful to have one identity associated with my public activity, that which I want to be associated with my public persona. Then, there would be other identities related to activities for which I currently do not (for whichever reason) want my public profile associated with, but I still want them to have a verifiable connection to myself via, eg, a different signing key. But, this means, each time I want another identity, I should get another smartcard product. I can see that becoming a chore .

kondor · November 21, 2022, 7:21pm

But, I might be abusing how the key is supposed to work. What I have in mind can be easily accomplished bu a removable drive on which I’d store a gnupg directory which could be linked to .gnupg.

On the other hand, I see these encryption dongles are often used as real authentication devices, not PGP management machines.