Home > certificate > How to restrict the usage flags for primary key-pairs in OpenPGP certificates?

How to restrict the usage flags for primary key-pairs in OpenPGP certificates?

September 7Hits:1
Advertisement

More than one time I read recommendations to use the primary key-pair in my OpenPGP certificate only to sign sub-key-pairs and not for general daily use (even to keep the private key stored on a non-network-enabled PC for additional security). I recently noticed that each key-pair in my certificate has flags which define for what purpose it must be used exclusively. As far as I understand currently (having trouble finding documentation), the process of signing sub-key-pairs would be depicted by A (for authentication).

In my newly generated certificate, my primary key-pair has the usage flags SC (signature and certification). Now it is quite easy to change these flags for sub-keys with the GnuPG command line tool, but I cannot find any way to modify the usage flags for the primary key-pair.

What I would like to be able to do, is to limit the primary key-pair to only be able to sign and revoke additional sub-key-pairs in my certificate. Can anyone tell me if this is possible and how to do it?

Answers

You'd need the usage flag certify C, which is required by the OpenPGP specifications anyway. Authentication A is rarely used and means you can authenticate yourself (similar to SSH key based authentication).

Yet it is not possible to change the usage flags in GnuPG (but by hacking the code). From a message by Resul Cetin on that mailing list thread:

Ok, it was quite easy to do (not clean, but it could be done in a fast and hackish way). Just searched for gnupg-1.4.9/g10/getkey.c:parse_key_usage and changed p to non-const and always set (*p) &=~2;. Afterwards I started my new compiled hackish-gpg --edit-key and set the expire of my master key. After this procedure I had only the Cert flag set. Thanks Christoph - you are my personal hero of the day :)

To change an existing master key, the gnupg-users thread which Jens quoted covers the only way I've seen of doing it.

To set the master key to only Certify when it is created is a little easier:

bash-3.2$ gpg --gen-key --expert
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
Your selection? 8

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? e

Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 16384 bits long.
What keysize do you want? (2048)   C-c C-c
gpg: Interrupt caught ... exiting

bash-3.2$

You will, however, need to create the subkeys manually using the gpg --edit-key command afterwards.

Related Articles

  • How to restrict the usage flags for primary key-pairs in OpenPGP certificates?September 7

    More than one time I read recommendations to use the primary key-pair in my OpenPGP certificate only to sign sub-key-pairs and not for general daily use (even to keep the private key stored on a non-network-enabled PC for additional security). I rece

  • Recommended operational security for generating one's primary key pair?June 1

    I have been looking for an operational security guide for generating one's asymmetric key pair for (Open)PGP. I have found plenty of technical guides for how to use GnuPG to generate RSA key-pairs, for example, but not much organized content of how t

  • Is DB Normalization done purely based on the primary key or is it done based on all the candidate keys?October 19

    I have come across two flavours of the normalization procedure while referring the internet and textbooks. viz. Type 1. Normal forms based only on the primary key. In this type, -> 2NF disallows Partial dependencies on the primary key. -> 3NF disall

  • How are the GPG usage flags defined in the key details listing?February 17

    When I list the details of a key I get output like this: $ gpg --edit-key SOMEID pub [..] created: [..] expires: [..] usage:SC [..] sub [..] created: [..] expires: [..] usage: E Or even usage: SCA on another key (the master-key part). What does these

  • Usage of RESTRICT or No ACTION in FOREIGN KEY ConstraintsFebruary 21

    Sorry if this question is naive, but I was unable to understand possible usage of RESTRICT or No ACTION. Consider a simple database of CREATE TABLE column1 ( first_id int(11) NOT NULL AUTO_INCREMENT, PRIMARY KEY (first_id) ) ENGINE=InnoDB DEFAULT CHA

  • How do I display the usage flags for my encryption keys in a less hackish way?October 29

    I am trying to educate myself on the use of encryption keys and I've been experimenting with this old Linus Torvalds' key that I found 956EB7BF449FA3AB. I am interested to display the usage flags but neither gpg2 --list-keys 449FA3AB nor gpg2 --finge

  • restrict CPU usage of java application to specific amountFebruary 12

    as title is descriptive i want to restrict CPU usage of a java application that runs in windows to specific amount (namely 2 GH) this app could be a ".jar" file or an app which runs by IntelliJ IDEA or Eclipse --------------Solutions------------

  • Why aren't primary key / foreign key matches used for joins?March 16

    As far as I could find out many DBMSs (e.g. mysql, postgres, mssql) use fk and pk combinations only to constrain changes to data, but they are rarely natively used to automatically select columns to join (like natural join does with names). Why is th

  • GPG - why am I encrypting with subkey instead of primary key?June 12

    When encrypting a file to send to a collaborator, I see this message: gpg: using subkey XXXX instead of primary key YYYY Why would that be? I've noticed that when they send me an encrypted file, it also appears to be encrypted towards my subkey inste

  • Does the size of the primary key contribute to table size?June 14

    I have a table (InnoDB) with data length around 36G and index length 23G. It had a composite primary key across three columns. As an initial attempt to reduce the size of this table, I dropped the primary key (wasn't actually needed anyway). Yet, the

  • Primary key with randomly varying increments (so it cannot be guessed easily)July 16

    I would like the primary keys to be auto-incremented and generated but in varying increments. For ex, if I have increment range as 100... then the auto generated keys would be something like below: - 20 (random number between 1 and 100) - 30 (add ran

  • Completion of ERD, uncertainties about generalization/specialization and primary keys

    Completion of ERD, uncertainties about generalization/specialization and primary keysSeptember 10

    I'm practicing making conceptual databases and I would like to know of I'm on the right track. I've been trying to create an ERD for a scenario as follows: A hotel can take bookings for weddings, conferences and theme nights, as well as regular regul

  • Does my table need a primary key and clustered index change?October 16

    I have a table holding 1.7 Milion rows. Definition: CREATE TABLE T( [ID] [uniqueidentifier] NOT NULL, [AID] [uniqueidentifier] NOT NULL, [BID] [uniqueidentifier] NOT NULL, [iType] [int] NOT NULL, [MT] [ntext] NOT NULL, [isM] [tinyint] NOT NULL, [CDat

  • MySQL: Why is auto_increment limited to just primary keys?June 23

    I know MySQL limits auto_increment columns to primary keys. Why is this? My first thought is that it's a performance restriction, since there probably is some counter table somewhere that must be locked in order to get this value. Why can't I have mu

  • How can I alter an existing Primary Key on SQL Azure?October 18

    I want to modify an existing primary key on a SQL Azure table. It currently has one column, and I want to add another. Now, on SQL Server 2008 this was a piece of cake, just did it in SSMS, poof. Done. This is how the PK looks like if I script it fro

  • Is it possible to change the data-type of a primary key column in SQL Azure? October 18

    I want to modify an existing primary key on a SQL Azure table. It currently has one column, and I want to add another. Now, on SQL Server 2008 this was a piece of cake, just did it in SSMS, poof. Done. This is how the PK looks like if I script it fro

  • NULLs in a composite primary key - SQL Server

    NULLs in a composite primary key - SQL ServerDecember 27

    I'm trying to work out the best way of creating SQL Server primary keys, foreign keys and constraints to accurately represent my data model in LINQ / Entity Data Objects. Let's assume - for the purposes of simplification - that I have four main table

  • Mysql int vs varchar as primary key (InnoDB Storage Engine?March 31

    I am build a web application (project management system) and I have been wondering about this when it come to performance. I have an Issues table an inside it there are 12 foreign keys linking to various other tables. of those, 8 of them I would need

  • Index on primary key not used in simple joinApril 17

    I have the following table and index definitions: CREATE TABLE munkalap ( munkalap_id serial PRIMARY KEY, ... ); CREATE TABLE munkalap_lepes ( munkalap_lepes_id serial PRIMARY KEY, munkalap_id integer REFERENCES munkalap (munkalap_id), ... ); CREATE

  • Delete by primary key takes too longJune 20

    What would make a query that deletes a row using the primary key of the table .. take too long ? This is a table with about 1.4M rows that gets .. 70%/30% read/write . I don't know where to look. Thanks. EDIT Engine: InnoDB Columns: 30 - 40 Indexes:

Copyright (C) 2017 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 2.118 s.