I currently have a SSH key that I've used for a while and I'd like to start using GnuPG with a new keyring. However, given that I've used my key for ages, I would like to still use that key in GPG as the main/primary key. I've tried importing the key via these instructions.
But, I end up with what's considered to be a "subkey". Furthermore, if I try to import it without creating a standard GPG key, GPG doesn't even see this subkey. (I'm assuming that the subkey needs to be signed by the main key first.)
How do I use this key as the main key within secring.gpg?
Best Answer
The simple answer is: You don't.
SSH keys and GnuPG (actually, OpenPGP) keys are completely different, even though both protocols can use RSA key pairs.
And besides, why would you want to do it? Even if you were to use the same key material to make up your PGP key, you'd still need to distribute your key as a PGP key. You likely haven't been distributing your SSH public key to the people you correspond with, so from a key distribution point of view there is no difference: they will need to receive a public key from you. And even if you have been distributing your SSH public key to other people, they would need to take some additional steps to be able to import it into their OpenPGP implementation, which may or may not be easy.
As kasperd quite righly pointed out, there must be only one way to interpret (particularly) a signature. If you were to use the same key for both PGP and SSH, if someone could trick you into signing a specially crafted message (which is an assumed capability in certain signature system attacks) in one, then even if both systems are secure in isolation it might be possible to craft such a message in a way that has one meaning in one of the systems, but a different meaning in the other. That, in itself, would be a vulnerability. (Exploitable? Who knows. But why take the chance?)
Both PGP and SSH key pairs are long-term keys, which are used to secure ephemeral (message and session) symmetric keys, as well as verify authenticity of a remote party. That makes the PGP or SSH private key a much higher value target for an attacker than the corresponding symmetric key. If you use the same key material for both, and an attacker is able to realize that, it only increases the value of a successful attack on that key pair.
Without having looked at either protocol in detail, I imagine that recognizing that the same key material is being used in both would likely be fairly trivial, since the public key is basically transmitted in the clear.
Just generate a new PGP key. If you want to, then make it RSA and of the same length as your SSH key. (No sane person is going to look much closer at it than verifying the fingerprint anyway.) Then distribute the public key to the people you wish to correspond with, as a PGP key. It will be much easier for everyone, and very likely safer, at the cost of a small amount of entropy from your system's random entropy pool which should be quickly replenished anyway.
If you have multiple keys on your secret keyring and want to specify which one should be used by default, use the
default-keyand possiblydefault-recipient{,-self}directives in your ~/.gnupg/gnupg.conf.