How to change (sub)key usage of a PGP key?

Since GnuPG 2.2.6 there's a hidden key-edit subcommand "change-usage" which does exactly that. Relevant commit.

Let's try this subcommand with a test key. Let's create one first:

mkdir /tmp/gpg-change-usage
chmod 700 /tmp/gpg-change-usage
gpg --homedir /tmp/gpg-change-usage --quick-generate-key [email protected] rsa4096 cert 1d

Now notice that this new key is a certification only primary key.

$ gpg --homedir /tmp/gpg-change-usage -k
/tmp/gpg-change-usage/pubring.kbx
---------------------------------
pub   rsa4096 2019-04-04 [C] [expires: 2019-04-05]
      987BE3D9CF90B1C912A165734EBF4D26A937DE4C
uid           [ultimate] [email protected]

Changing usage is a simple as this:

$ gpg --homedir /tmp/gpg-change-usage --edit-key [email protected] 
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/4EBF4D26A937DE4C
     created: 2019-04-04  expires: 2019-04-05  usage: C   
     trust: ultimate      validity: ultimate
[ultimate] (1). [email protected]

gpg> change-usage
Changing usage of the primary key.

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Certify 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Sign Certify 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q

sec  rsa4096/4EBF4D26A937DE4C
     created: 2019-04-04  expires: 2019-04-05  usage: SC  
     trust: ultimate      validity: ultimate
[ultimate] (1). [email protected]

gpg> save

Notice now that our key gained signing capability.

$ gpg --homedir /tmp/gpg-change-usage -k
/tmp/gpg-change-usage/pubring.kbx
---------------------------------
pub   rsa4096 2019-04-04 [SC] [expires: 2019-04-05]
      987BE3D9CF90B1C912A165734EBF4D26A937DE4C
uid           [ultimate] [email protected]

That's it!


In order to add a new subkey with specific usages, start gpg2 with the --expert switch. Then the options are

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
Your selection?

Where the last two methods allow toggling each of S, E, A individually. C is only possible for a primary key, the usage of which you can also set with gpg2 --expert --gen-key. I don't know of any way to modify the usage field at a later point however.

Tags:

Gnupg

Pgp

Key Management

Key Usage

Recent Posts