# GPG Subkeys

List keys to get your key:

```shell
gpg --list-keys
```

Edit key:

```shell
gpg --edit-key <KEY ID>
```

At prompt, add a new subkey, select signing or encrypting, keysize, and expiry:

```shell
gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Wed 04 Sep 2019 10:51:34 PM PDT
Is this correct? (y/N) y
Really create? (y/N) y
```

Repeat for encrypting key if you need one.

### Exporting the Subkey(s)

Get your new subkey's ID you want to export.

```shell
gpg --list-keys --with-subkey-fingerprint <KEY ID>
```

Export the subkey, keeping the `!`, can list multiple keys:

```shell
gpg -a --export-secret-subkeys <subkey id>! [ <subkey id2>!] > temp_directory/subkey.gpg
```

To change the passphrase, import the key into a temporary folder.

```shell
mkdir temp_directory/gpg
gpg --homedir temp_directory/gpg --import temp_directory/subkey.gpg
```

Edit the key, and change the passphrase.

```shell
gpg --homedir temp_directory/gpg --edit-key <user-id>
```

```shell
> passwd
> save
```

Note: You will get a warning "error changing passphrase", but it can be ignored.

Now export again as the new, altered subkey.

```shell
gpg --homedir temp_directory/gpg -a --export-secret-subkeys [subkey id]! > temp_directory/subkey.altpass.gpg
```

### Importing The Subkey(s)

Now, on a new system, the subkeys can be imported:

```shell
gpg --import subkey.altpass.gpg
```

Checking `gpg --list-secret-keys` will show a `#` after sec, meaning the master key isn't present:

On new, subkey only system:

```shell
/home/john/.gnupg/pubring.kbx
-----------------------------

sec#  rsa4096 2017-05-17 [SC]
      <KEY ID>
uid           [ unknown] John Ramsden (<comment>) <email>
uid           [ unknown] John Ramsden (<comment>) <email>
ssb   rsa4096 2017-09-05 [S] [expires: 2019-09-05]
ssb   rsa4096 2017-09-05 [E] [expires: 2019-09-05]
```

References:

* [Arch Wiki - GnuPG](https://wiki.archlinux.org/index.php/GnuPG#Edit_your_key)
* [Debian - Subkeys](https://wiki.debian.org/Subkeys)
* [void.gr](https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys/)