I recently generated two new subkeys to put on an external key card. I previously had a master key (usage marked SC) and a single subkey (marked E). This arrangement was worked fine for what I needed in keeping a few local files private. Just now I created two new subkeys using addkey, one signing key and one encryption key. Each of these I transfered to my card using keytocard. That seems to have worked fine and the card does what I expect.
The issue now is I can't figure out how to encrypt a file using my first subkey (key 1). No matter what I specify as a recipient or user (including the subkey id) the resulting file shows up as being encrypted against they key that's now on my card (and only on my card!).
My keyring now looks something like this:
❯❯❯ gpg --list-secret-keys
/home/caleb/.gnupg/pubring.gpg
------------------------------
sec rsa4096/75267693 2014-07-31 [expires: 2016-02-02]
uid [ultimate] Caleb Maclennan <caleb@alerque.com>
ssb rsa4096/B89B1E86 2014-07-31 [expires: 2018-07-30]
ssb> rsa2048/85BD5AD1 2015-10-06 [expires: 2016-10-05]
ssb> rsa2048/DFE6D89D 2015-10-06 [expires: 2016-10-05]
For encrypting I'm running something like this:
❯❯❯ gpg --recipient B89B1E86 -a -e test.txt
But I've tried all of --default-key, --local-user (-u), and --recipient (-r) including in combination. Any way I shake it, decrypting the result tells be it's encoded with my card key instead:
❯❯❯ gpg -d test.txt.asc
gpg: encrypted with 2048-bit RSA key, ID DFE6D89D, created 2015-10-06
"Caleb Maclennan <caleb@alerque.com>"
gpg: public key decryption failed: Card error
gpg: decryption failed: No secret key
What is the proper procedure to encrypt using a specific subkey?
Best Answer
To use specific subkeys, and not have GnuPG to resolve the subkey to a primary key, attach
!to the key. For example, to encrypt for the subkeyDEADBEEF, use--recipient DEADBEEF!.Important note: using short key IDs is not recommended due to collision attacks, instead use long key IDs or fingerprints.