GPG/PGP: Non-OnlyKey subkey of OnlyKey master-key

Context: With PGP, we have master & sub-keys so that you can have a really secure (and therefore inconvenient) master for occasional use (subkey certification, revocation, renewal), and more convenient (and therefore less secure) subkeys for day-to-day use (signing & encryption). The typical recommendation is to generate your keys on a laptop that has never and will never be exposed to the internet, and transfer the subkeys to your daily use devices using a trustworthy storage medium.

OnlyKey (specifically the derived key feature) seems to me to be a natural replacement for the secure master laptop. Meanwhile, OnlyKey is not (currently) a convenient enough way to host subkeys for daily use. The email application that I use on my phone supports PGP using the phone’s secure storage, but does not support interacting with the OnlyKey.

However, I can’t figure out how to accomplish this setup. The OnlyKey Agent documentation shows how to use a derived master & subkey. It shows how to use an OnlyKey-subkey with a non-OnlyKey master key (the opposite of what I want). But there’s no explanation of how to add subkeys (even on-device ones) to a derived OnlyKey master key.

Attempting to add a sub-key using the OnlyKey GPG profile results in gpg hanging indefinitely. I do see that the documentation explicitly states that OnlyKey and non-OnlyKey keys cannot coexist in the same profile, so this isn’t a surprise.

But I can’t imagine why it wouldn’t be possible to do the “generate a new key” part of the gpg --quick-add-key procedure on one profile (which has only the public master), and then complete the remaining “certify the new subkey’s metadata with the master key” part of that procedure on a different profile (which has the secret master). This would effectively circumvent the restriction against mixing key types in a profile. However, it seems that offline subkey signing request, while theoretically possible, simply hasn’t been implemented in gpg.

I found this guide that explains how to migrate subkeys from one master to another, but it requires creating temporary “dummy” subkeys on the destination master, which isn’t possible in this case.

Is there a way to do this in gpg that I’m unaware of? Or any other tools that could accomplish it? If not, it would be a great feature to have in onlykey-gpg.

I’m not sure I’m clear on what you’re trying to achieve. If I’m right, you want a derived Onlykey master key (replacing the old secure laptop model), and a subkey that you generate using GPG so the secret is able to be stored and used on a device (daily driver) separate from the Onlykey and master key? Basically the Onlykey would sign to create the GPG subkey.

If so, I don’t think this is possible. AFAIK you can create an GPG key and add an Onlykey subkey, or you can create a Onlykey derived key and then further Onlykey subkeys.

I was looking for a similar use case. Onlykey doesn’t allow you to export secret keys for storage either, and I have a thread asking about that in case Onlykey doesn’t exist in the future.

The only way I know to do this is using the original secure laptop method. Generate the master key pair (SC) and encryption subkey (E) as normal on a secure laptop (such as using Tails) and import as stored keys into the Onlykey. Again on the laptop generate your further device subkeys and import into each device. This gives the slight advantage that you have your master keys on the Onlykey and can use on any devices that can operate with it in an air-gapped fashion. You also have your device keys for any none compatible devices. Still, the limitation here is you’ll need to store the master secret offline somewhere to be able to generate new GPG (none Onlykey) device subkeys in future. I personally recommend this anyway in case Onlykey doesn’t exist, or there is some other problem. Offline backups are good.

Finally, I do agree this would be nice, and whilst I understand the Onlykey secret keys need to be inaccessible outside the device, I’m not clear why it can’t sign to authorise/generate a none Onlykey subkey.

– bvs