GPG Subkeys

List keys to get your key:

gpg --list-keys

Edit key:

gpg --edit-key <KEY ID>

At prompt, add a new subkey, select signing or encrypting, keysize, and expiry:

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Wed 04 Sep 2019 10:51:34 PM PDT
Is this correct? (y/N) y
Really create? (y/N) y

Repeat for encrypting key if you need one.

Exporting the Subkey(s)

Get your new subkey's ID you want to export.

Export the subkey, keeping the !, can list multiple keys:

To change the passphrase, import the key into a temporary folder.

Edit the key, and change the passphrase.

Note: You will get a warning "error changing passphrase", but it can be ignored.

Now export again as the new, altered subkey.

Importing The Subkey(s)

Now, on a new system, the subkeys can be imported:

Checking gpg --list-secret-keys will show a # after sec, meaning the master key isn't present:

On new, subkey only system:

References:

• Arch Wiki - GnuPG

• Debian - Subkeys

• void.gr