Possible to Create Subkeys for Master GPG Key? #378
Comments
|
Is this still not possible? |
|
I stopped looking into this for the Trezor and decided to use Yubikeys instead. |
|
OK, thanks. |
|
Subkey creation assumes you have a non-Trezor primary key in a different home folder frmo a Trezor subkey. The assumption is that you'll never need both at the same time. Generally, a primary key is intended to be on an offline computer anyway, while only the subkey is used regularly, so this assumption is valid. To violate this assumption, you would need the trezor-gpg-agent to be able to forward requests to another agent in the event that a requested key is not a Trezor key. For much the same reason, setting up a non-Trezor subkey to a Trezor primary will not work. The agent cannot process a |
|
OK, but could you in theory create a subkey for a Trezor primary key by using the following: where
Not sure why I don't see
|
|
When I tested, I got the options So ECC (=ECDSA/ECDH) should be present The issue is that the process fails later. First, because of a bug that unrecognized operations and other errors in the agent only log an error, but do not send an error to the client, so the client simply freezes instead of continuing. And second, because, as I've mentioned above, even if you continued, you couldn't process the IMO, the most correct way to handle it is to forward the request to a different agent. Which is something I might work on in an upcoming PR, provided my existing one would be merged. (My OS choice means I can't work on anything other than on top of that PR) Another option is to do it via a trezor-gpg specific command that simply takes a pubkey (e.g. generated by |
Interesting and which version of
I see. Thanks for detailed explanation. |
|
I want to create a subkey for my master key, but I only found this comment by Roman:
The --subkey feature is usually used to add TREZOR-based GPG keys to non-TREZOR-based existing GPG keys, e.g. see the following example for adding NISTP-256 TREZOR-based subkeys to existing RSA-2048 non-TREZOR-based GPG identity: https://github.com/romanz/trezor-agent/blob/master/doc/README-GPG.md#generate-gnupg-subkeys.
Am I only able to use the master key created by my Trezor to use for GPG? I would like to create individual keys for signing, authenticating, etc and leave the master key alone.
Even if I try to create subkeys for an exsting NON-Trezor key, it doesn't seem to work as I get errors.
If I create a GPG key pair on my regular mac desktop, I am able to see it with "gpg -k". If I update my environment .bash_profile with export GNUPGHOME=~/.gnupg/trezor, I will not see this key that I created on my mac and only see the keys I created with the trezor. If I want to go by what Roman had said above where creating subkeys are really for existing NON-Trezor-based keys, then I'm unable to do so because these are in 2 different files.
Is there a way to create subkeys and use them normally?
I also noticed I'm unable to choose the key size, like 4096, is that because it's tied with the seed phrase of the Trezor when I initialized it?
Thanks!
The text was updated successfully, but these errors were encountered: