As already introduced in a previous post, OpenPGP keys have different uses. These uses are: certify other keys, sign data, encrypt communications or storage and authentication. To maximize security, I already have a master key which I only use to certify other keys, but the key flags don’t enforce this.

It took me a while to figure out how to persuade gpg to do this, so here’s my cheat sheet:

$ gpg --expert --gen-key
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
Your selection? 8

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Sign Certify Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection?

You can then deactivate the Sign and Encrypt bits to generate a Certify-only key. You can confirm this with --edit-key:

pub  4096R/6C633AAF  created: 2013-02-06  expires: 2013-02-07  usage: C   
                     trust: ultimate      validity: ultimate
[ultimate] (1). Niobos 

PS: in the end, I decided not to go down this route. Since I still want the ability to sign stuff with my master key. This will be reserved for “important” things, such as transition statements or key signing policies.